About "update" packets
Kevin Darcy
kcd at daimlerchrysler.com
Wed Jun 16 22:53:05 UTC 2004
Maurizio Colella wrote:
>Dear all,
>I'm having some problem with some clients that from internet try to
>"update" my DNS (9.2.3) ! (..Hackers ?)
>I need to make the update only from my machine, so i've configured my
>named.conf to use "allow-update" and "key stantement".
>At the moment my DNS "denied" any update from all clients that are not
>compliant (..ip-address and key are not correct !!), in add, i've also
>closed all TCP packets from any to my DNS, becose i've suppose that
>"update" are performed only by TCP, but I see that "update" are always
>present ! So , my simply question is: Are in UDP packets the "nsupdate"
>??.. Have you some suggestions for ??
>
Denying TCP is unwise, as others have pointed out.
Restricting zone transfers is (arguably) a waste of time too.
I would recommend *not* permitting Dynamic Update on any Internet-facing
machine. Set up some other, internal machine as a "hidden master", do
the Dynamic Updates there, and then propagate the zones via zone
transfer. The Internet-facing machines would just be slaves and wouldn't
allow any Dynamic Updates at all. Run named chroot'ed and unprivileged
named on the Internet-facing machines. Even if a hacker were to break
into your machine, they wouldn't be able to do much of anything except
mess up your zone data, and even that would be self-correcting as of the
next zone transfer...
- Kevin
More information about the bind-users
mailing list