allow-query for non authoritative zones
Ladislav Vobr
lvobr at ies.etisalat.ae
Fri Aug 22 14:30:44 UTC 2003
There are many real situations, when the ip addresses are not spoofed,
and might be possible most of your valid recursion desired clients, for
example viruses, worms, trojan horses. In this case bind does not offer
any mechanism, and many times people raised this point here in the list,
that caching time-outs might be very useful in such a cases. Even if you
split your authoritative and recursive services, you still have no way
how to stop you recursive name server go down if situation like I
mentioned happen. Caching time-outs would help 100% in my opinion
Ladislav
Kevin Darcy wrote:
>"Seme, Markus" wrote:
>
>
>
>>Hi,
>>i want block queries from several, different Source-IP's (spoofed) to
>>the same domain ( DOS ).
>>The domain is not under my authorization - for example microsoft.com
>>!?
>>
>>It's easy to konfigure BIND9 with acl and allow-query for local zones
>>( in my authorization ) - for example:
>>
>>zone "local.com" {
>> type master;
>> file "local.com.zone";
>> allow-query { none; };
>>};
>>
>>But i haven't any idea how i should configure it to block the queries
>>for an domain who is not under my authorization !
>>
>>Or is there any other way to block such DOS ?
>>
>>
>
>Generally speaking, this is better handled by restricting recursion.
>Unless you already have the answer cached, the only way your nameserver
>can get information about zones for which it is not authoritative, is by
>recursing to get the answer. So, no recursion = no answer (more or
>less). In order to lessen the chance of the answer being cached (and
>therefore being returned even in the absence of recursion), it is
>recommended to completely segregate your recursive and non-recursive
>nameservice.
>
>
>- Kevin
>
>
>
>
>
More information about the bind-users
mailing list