How to return REFUSED

Axel Rau Axel.Rau at chaos1.de
Thu May 6 16:41:58 UTC 2021 


> Am 06.05.2021 um 16:45 schrieb Tony Finch <dot at dotat.at>:
> 
> Axel Rau <Axel.Rau at Chaos1.DE> wrote:
> 
>> I have,
>> 
>> 	allow-query { any; };
>> 	allow-query-cache { recursive-users; };
>> 	allow-recursion { recursive-users; };
>> 
>> How can I make sure that none recursive-users get a REFUSED if query is recursive?
> 
> Weird! I think your config should do what you want so I wonder why it
> isn't working. Your server is responding to the problem queries with a
> referral from the root zone, so have you configured your server with a
> local authoritative copy of the root?

Yes.
> 
> There's a broader issue here:
> 
> Usually when you have a server that is providing recursive service to
> anyone, it is best to set the allow-query ACL to cover just your users, so
> everyone else gets REFUSED.
> 
> This means that your recursive server cannot also be used as an
> authoritative server advertised in NS records. Your public authoritative
> servers should be authoritative-only and not offer recursion to anyone.
> 
>> PS: I want to minimize the responses to this amplification attack:
> 
> Ooh, RRSIG queries are fun. They are like a stealth ANY query.
> 
> BIND has several tools for dealing with this kind of junk:
> 
>  * RRL is very effective
> 
>  * minimal-any also minimizes responses to RRSIG queries
> 
>  * minimal-responses can also help to reduce packet sizes
> 
> Your server is responding with a referral from the root, so minimal-any
> won't have any effect on the response. And because it's a referral, the
> glue etc. is not optional, so there's nothing that minimal-responses can
> omit. So in your situation the most useful things to do would be:
> 
>  * tighten up your allow-query ACL
> 
>  * if you can't do that, use RRL (you can add recursive-users to the
>    exempt-clients list)
> 
>  * configure separate views for recursive-users and others; do not
>    include the root zone in your external view

Currently, I have:

    minimal-responses yes;
	require-server-cookie yes;

	rate-limit {
        responses-per-second 5;
        exempt-clients { recursive-users; };
    };

which do not really help.

This NS has some other clients in the DMZ LAN, so I need Views.
I gave up with views years ago and I have now to learn to use them with all the recent stuff, like in-view.
in-view can be helpful to reference the auth zones in the local view, I guess.

Thanks for your your comprehensive explanation,
Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210506/2f80ec80/attachment-0001.bin>

More information about the bind-users mailing list