DNS "Zone Update" Attack

[base60]

Merton Campbell Crockett wrote:
> On Tue, 29 Nov 2005, Stefan Puiu wrote:
> 
> 
>>I think the default in BIND 9.3.1 is to not allow any DDNS updates, so no
>>change is required from the default. You have to explicitly state some
>>update-policy or allow-update statement in order to permit updates.
> 
> 
> Understood.  The dynamic DNS update requests were being rejected; however, 
> the activity did consume resources.

Many windows systems attempt to do this by default.

> 
> A complicating factor is that our IT department insisted that I move the 
> external name server from a BSD/OS to a Linux -based system.  The latter 
> isn't POSIX thread compliant or, at least, I assume its still not 
> compliant as BIND complains that it is not able to take advantage of the 
> dual-processor hardware.
> 
> I do not intend to honour dynamic DNS update requests on this server.  I 
> want to minimise the resources needed to log the event and terminate the 
> request as quickly as possible.
> 
> So, the question boils down to what is the best way to terminate DNS 
> requests that you do not intend to support?

The allow-updates is off by default, but explicitly adding it doesn't
hurt.

"blackhole" tosses the request, but you could do the same with a null
route "route add 202.54.91.119 localhost -reject" which would eliminate
it prior to it hitting bind.

> 
> 
> 
> 
>>On 11/29/05, Merton Campbell Crockett <mcc at cato.gd-ais.com> wrote:
>>
>>>
>>>There appears to be two ways of doing this in BIND 9.3.1.  The first 
>>>would be to add the following to each zone statement.
>>>
>>>        allow-updates { none; };
>>>
>>>I'm not sure that the above syntax is correct.  The second would be to 
>>>add the following to the options statement.
>>>
>>>        blackhole { 202.54.91.119; };
>>>
>>>The latter seems easier to manage but may have unexpected 
>>>side-effects.  By the way, that is the IP address of the system 
>>>attempting to update our DNS zones.
>>>
> 
> 
> 
> Merton Campbell Crockett
> 
> 
> 
>