DDOS prevention - how to restrict queries to hint (root) zones?

[MAtteo HCE Valsasna]

hi all,

We run BIND 9.3.4-P1.1 on Debian GNU/Linux 4.0 (using the distribution's
package), that do both recursive queries for internal clients (with
proper allow-recursion clause) and authoritative servers for the
institution's domain.


There are reports of DDOS attacks based on DNS requests for the root
zone with spoofed source IP address: 
* the attacker sends a request for the root zone with spoofed source
address to a DNS server 
* The intermediate victim (DNS server) sends the reply packet -
significatively larger than the request - to the ultimate victim (the
owner of the spoofed source IP address in the request packet).
* the ultimate victim connection is flooded

http://isc.sans.org/diary.html?storyid=5773


I verified that our servers reply when queried from a non-trusted source
address for the root zone. (and we must also notice that the
"non-trusted source address" argument is pretty pointless when dealing
with spoofed source addresses: if a query with a spoofed internal source
address could reach the server, the server would just DDOS an internal
machine. But we do discard inbound packets with internal source IP
addresses on the network border).

The first answer to this threat would be to disallow queries for the
root zone would for any client (the root zone is used only by the server
itself, right?).

* Do you think there is any reason NOT do do this? 

* Do you know a simple way to do this?
        
        the trivial solution of adding an allow-query clause to the root
        zone definition is refused by the server, as hint type zones
        cannot have an allow-query clause - see
        https://lists.isc.org/pipermail/bind-users/2006-January/061077.html
        
        there is possibly a way to do this using views, but...
        anything simpler?



best regards and thanks for any answer


MAtteo Valsasna