DNS "Zone Update" Attack
Stefan Puiu
stefan.puiu at gmail.com
Tue Nov 29 12:45:34 UTC 2005
I think the default in BIND 9.3.1 is to not allow any DDNS updates, so no
change is required from the default. You have to explicitly state some
update-policy or allow-update statement in order to permit updates.
On 11/29/05, Merton Campbell Crockett <mcc at cato.gd-ais.com> wrote:
>
>
> There appears to be two ways of doing this in BIND 9.3.1. The first would
> be
> to add the following to each zone statement.
>
> allow-updates { none; };
>
> I'm not sure that the above syntax is correct. The second would be to add
> the
> following to the options statement.
>
> blackhole { 202.54.91.119; };
>
> The latter seems easier to manage but may have unexpected
> side-effects. By
> the way, that is the IP address of the system attempting to update our DNS
> zones.
>
More information about the bind-users
mailing list