> From PowerDNS users we have heard of problems caused by various domain names > related to PowerDNS Security Advisory 2014-02 (CVE-2014-8601), > http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/ > > If you are not yet in a position to upgrade to 3.6.2, or even if you have > upgraded and traffic for these domains is causing CPU spikes anyhow, we > recommend the following configuration line as a workaround: > > auth-zones=ezdns.es=nullzone,ezdns.gs=nullzone,ezdns.it=nullzone,ezdns.la=nullzone,ezdns.me=nullzone,ezdns.ms=nullzone,ezdns.pl=nullzone,ezdns.pm=nullzone,ezdns.re=nullzone,ezdns.so=nullzone,ezdns.sx=nullzone,ezdns.tf=nullzone,ezdns.wf=nullzone,ezdns.yt=nullzone > > And this file 'nullzone': > @ 3600 IN SOA ns hostmaster 2013041204 9000 450 > 604800 450 > @ 3600 IN NS ns1 > ns1 3600 IN A 127.0.0.1 > > You might need to add a path to nullzone for this to work reliably.
auth-zones is good. Even better would be 'auth-zones-from-file' with one domain name per line. It would also be good to have some more discussion of the best way to battle the latest round of <random>.domain lookups from compromised clients. We're currently seeing a significant number of A lookups for Gpd9LVuC.arkhamnetwork.org. KGm3G79l.arkhamnetwork.org. L4pEXeQO.arkhamnetwork.org. xwpJ2qas.arkhamnetwork.org. 4P9ySJ1W.arkhamnetwork.org. ... i.e. <random>.arkhamnetwork.org - and we assume the goal is a DDoS of the name servers for arkhamnetwork.org. In other cases the goal is to trigger a large reply, and flood the (spoofed) original source of the queries via reflection. So what is best here? - Return NXDOMAIN for these queries? - Return for instance 127.0.0.1 for these queries? A quick dig check shows that the NXDOMAIN reply is actually larger than the 127.0.0.1 reply. If these replies are eventually returned to a (spoofed) victim it might matter (this is typically the case for open DNS proxies). If we answer these from auth-zones configured into the recursor, the traffic to the real authoritative name servers for the domain is obviously irrelevant. Steinar Haug, AS 2116 _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
