Tanner Lovelace wrote:
Greetings,
It looks like people have come up with ways to use recursive DNS
servers to cause a distributed denial of service on other name servers[1].
There's nothing new here, recursive DNS servers have been the norm
for many, many years, but then again, so were open SMTP relays[2].
So, as a result, it seems that prudence would suggest that people
secure their DNS servers. However, just turning off recursive DNS
is generally not an option because DNS doesn't work without it.
Instead, you need to restrict recursive DNS to just your own network.
Looks like good instructions for doing that with bind can be found
here[3]. Might as well secure now so as to not contribute to problems
later. :-(
And people used to sneer at my split-dns setups... If you aren't
running BIND, your version of BIND doesn't support views, or you're
running a DNS server that does not support the concept of recursion
restriction based on source, there is another way: run two (or more, two
is a minimum) DNS servers. These could reside on a multihomed host, if
you wanted to, but separate physical hosts would be best. Configure one
server as authoritative only (this is where you put all your DNS
entries) that is publicly available and one that is recursive only that
is only available on your local network. Configure the recursive DNS
server to send all requests for your domain directly to the
authoritative server (this is so you can use bogus/test domains, if you
want), the rest go to the root servers (or to your ISP's recursive servers).
Mike
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
