dealing with dnsa1.c (see bugraq)
Richard Stevenson
RichardS at adv.net.nz
Tue Feb 29 01:14:26 UTC 2000
On 29 Feb 2000, at 0:37, bleve at my-deja.com wrote:
> Posted today on bugtraq was a script to do smurf-like attacks on DNS
> servers. I haven't gotten it to compile yet on my servers (solaris 7 &
> 8), so haven't tested it to see what it will do to my BIND
> installations.
>
> Anyone have any suggestions for how to combat it?
This isn't a new issue - it's very similar (if not identical to) one of the
TESO things mentioned earlier this month. You just need to restrict access
to your nameservers using allow-query and/or allow-recursion, so that only
your users are able to get your servers to perform arbitrary queries.
Wherever possible, I restrict mine so that they'll only answer if a) the
query comes from a machine that has a legitimate need to query that
nameserver, or b) the query is for an object that my nameserver is
authoritative for.
Cheers
Richard
More information about the bind-users
mailing list