Matthias Subik wrote:
> On 10.01.2006, at 09:14, lore wrote:
>
>> Alle 17:49, lunedì 9 gennaio 2006, Morten Nilsen ha scritto:
>>> lore wrote:
>>>> view "external-in" in {
>>>> recursion yes;
>>> no. no no no no. bad! bad admin! do not allow the world to recurse!> the problem seems to be over estimated, since there are huge > providers stil not closing their recursive dns from the outside (not > to fingerpoint anybody, but the only extra large ripe class provider > in austria is still doing it). > > > matthias > ps: but in general, and for new installations I have to support > morten, don't open recursive for all. not b/c of the scriptkiddies > and spammers, but because of the DoS chance. You need your nameserver > badly. I think Morten meant DoS by mentioning scriptkiddies. Uninett.no recently suffered a 2Gbps DoS attack simply by using open recursive DNS servers. This happened quite recently. For those of you who don't know what this is all about: Attacker creates a normal domain with a huuuuge TXT-record (as big as allowed). Attacker then queries these open servers about the TXT-record. The recursive servers then cache this result. So far harmless. Now you gather a botnet and make it send DNS-requests for that TXT, but spoof the sender to be a victim's IP address. Hundreds or thousands of nameservers gets a little bit flooded and all their replies hits the victim. Do NOT allow untrusted host to do recursive lookups.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
