preventing external use of nameserver for non-authoritative zones
Robin Stevens
robin.stevens at computing-services.oxford.ac.uk
Mon Feb 5 11:41:21 UTC 2001
On Thu, Feb 01, 2001 at 11:04:12AM -0700, Cricket Liu wrote:
> > I'm attempting to lock down our nameservers to prevent arbitrary hosts
> > from getting responses to arbitrary queries, as recommended by the CIAC
> > bulletin http://ciac.llnl.gov/ciac/bulletins/j-063.shtml
> >
> > Mostly, there's no problem: I can lock things down such that internal
> > users can use our servers for all requests, but external users may only
> > use them for the zones for which we are authoritative.
> Instead of using a query access control list, you could use the
> allow-recursion substatement introduced in BIND 8.2.1 to restrict
> recursive queries to clients on your network.
As far as restricting external usage of the nameservers goes, this does the
job, but it's been pointed out that as regards the risk as described in the
CIAC bulletin, it doesn't actually help much. The payload returned even
for nonrecursive queries can be quite large. For instance a query on
www.cam.ac.uk. will result in seven nameservers for cam.ac.uk. being
returned (comparable to the amount of data being returned when one of our
servers was used as part of a DoS attack recently); other queries will no
doubt return more data.
Robin
--
--------------- Robin Stevens <robin.stevens at oucs.ox.ac.uk> -----------------
Oxford University Computing Services http://www-astro.physics.ox.ac.uk/~rejs/
(+44)(0)1865: 726796 (home) 273212 (work) 273275 (fax) Mobile: 07776 235326
More information about the bind-users
mailing list