preventing external use of nameserver for non-authoritative zones
Kevin Darcy
kcd at daimlerchrysler.com
Wed Feb 7 00:37:29 UTC 2001
Robin Stevens wrote:
> On Thu, Feb 01, 2001 at 11:04:12AM -0700, Cricket Liu wrote:
> > > I'm attempting to lock down our nameservers to prevent arbitrary hosts
> > > from getting responses to arbitrary queries, as recommended by the CIAC
> > > bulletin http://ciac.llnl.gov/ciac/bulletins/j-063.shtml
> > >
> > > Mostly, there's no problem: I can lock things down such that internal
> > > users can use our servers for all requests, but external users may only
> > > use them for the zones for which we are authoritative.
>
> > Instead of using a query access control list, you could use the
> > allow-recursion substatement introduced in BIND 8.2.1 to restrict
> > recursive queries to clients on your network.
>
> As far as restricting external usage of the nameservers goes, this does the
> job, but it's been pointed out that as regards the risk as described in the
> CIAC bulletin, it doesn't actually help much. The payload returned even
> for nonrecursive queries can be quite large. For instance a query on
> www.cam.ac.uk. will result in seven nameservers for cam.ac.uk. being
> returned (comparable to the amount of data being returned when one of our
> servers was used as part of a DoS attack recently); other queries will no
> doubt return more data.
Have you tried restricting allow-query *and* allow-recursion? My guess (and mind
you, it's strictly a guess) is that your nameserver is honoring the query the
first time around because it doesn't know for sure that it's in a delegated
subzone of one of your allow-query'ed master zones, until after it recurses and
sees some credible delegation records (but by then the ACL check has cleared). If
you restrict recursion *and* allow-query then you might create a Catch-22 for
such queries -- named doesn't know whether they're in the allow-query zone or
not, but neither can it recurse to find out. Either way, the query should be
refused.
Another option is to set up the delegated subzones as slave zones with explicit
allow-query's (might work with stub zones too).
- Kevin
More information about the bind-users
mailing list