Re: Dropping external recursive requests
That ought to work, and work well. This will not impact outside name servers that query your name server, because they send iterative queries. If they're sending recursive queries, they're abusing your server. I can't see any problems with this approach. If you have authoritative data in the third view, make sure that when the first view wants to look it up, its iterative query to the server machine itself is routed through to the third view (rather than being captured by the first view). Chris Buxton Men Mice On Tue, 2008-12-02 at 17:10 -0800, [EMAIL PROTECTED] wrote: Our DNS server occasionally get requests for recursion with forged src addresses. Currently our server returns Standard query response, Refused since our named.conf only allows recursion for our internal machines. This, of course, results in the poor machine whose address was forged receiving spurious traffic. Some of the Cisco firewalls support DNS inspection and can be configured to drop requests which want recursion. What are the ramifications of enabling this? Can bind be configured to do this? I was thinking about something like: view internal { match-clients { localhost; localnets; }; ... } view external-recursive { match-clients { any; }; match-recursive-only yes; blackhole { any}; } view external { ... } -- John [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dropping external recursive requests
In message [EMAIL PROTECTED] t, Alberto Colosi/SI/RM/GSI/it writes: why not? beter handled by isc and done in a clean way then 1.000.000 of dirty ways as these ;) Please go read RFC 5358. No where in there does it say to drop responses. If we though that dropping queries was a good idea it would have been explicitely documented in RFC 5358. Not offering recursive service means returning REFUSED. --- Alberto Colosi IBM Global Business Services Sistemi Informativi S.P.A. IT NetWork Security Department *-* *-* *-* SECURITY IS EVERYONE'S BUSINESS Member of IBM Information Security WW CoP -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dropping external recursive requests
On Dec 3, 6:26 pm, Mark Andrews [EMAIL PROTECTED] wrote: If it is a forged packet it should be dropped regardless of the setting of RD. True, however not something that's easily determined from a distance. Ideally ingress filtering would render this a non-issue, however there obviously holes in the current filtering done by ISPs. If the only reason to think the packet is forged is the setting of RD=1 then the OP has committed a reasoning error. The situation that we've encountered on a couple of occasions is a steady stream (several a second) of the exact same query with the same source address for several days. When we contact the owner of the source address, they state they're under DDoS attack and are not the source of the request. Part of the attack they experience is the Refused response from our DNS server. Also rd being set my just be the result of someone testing with a tool which sets rd by default. In which case they can change the setting. Which is worst ... occasionally dropping a request from someone using a misconfigured tool / server, or participating in a larger DDoS attack? Granted that dropping external requests with RD=1 doesn't eliminate the potiental for DDoS attacks, it just changes it. One needs to be really, really careful here. Understood ... and I realize that things shouldn't be oversimplified (i.e. by assuming RD=1 must mean an evil request). Part of the purpose for this post is to start a discussion on the pros / cons. -- John [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users