DNS "Zone Update" Attack

Stefan Puiu stefan.puiu at gmail.com
Wed Nov 30 11:50:45 UTC 2005 

Well, I'm far from being an expert on this, but since no one else bothered
to answer... If you want to relieve the load on the external DNS server
machine, you could filter out traffic coming from the offending machines on
your external firewall. This way the traffic won't reach your server.
Also, you could try reporting this issue to the provider which has the
offending ips delegated, assuming that they care about this, of course.
Usually you can find out where to report this kind of problem by querying
for the IP address in the whois database (use the whois command, or some web
interface like www.whois.sc).

On 11/29/05, Merton Campbell Crockett <mcc at cato.gd-ais.com> wrote:
>
> On Tue, 29 Nov 2005, Stefan Puiu wrote:
>
> > I think the default in BIND 9.3.1 is to not allow any DDNS updates, so
> no
> > change is required from the default. You have to explicitly state some
> > update-policy or allow-update statement in order to permit updates.
>
> Understood.  The dynamic DNS update requests were being rejected; however,
> the activity did consume resources.
>
> A complicating factor is that our IT department insisted that I move the
> external name server from a BSD/OS to a Linux -based system.  The latter
> isn't POSIX thread compliant or, at least, I assume its still not
> compliant as BIND complains that it is not able to take advantage of the
> dual-processor hardware.
>
> I do not intend to honour dynamic DNS update requests on this server.  I
> want to minimise the resources needed to log the event and terminate the
> request as quickly as possible.
>
> So, the question boils down to what is the best way to terminate DNS
> requests that you do not intend to support?
>
>
>
> > On 11/29/05, Merton Campbell Crockett <mcc at cato.gd-ais.com> wrote:
> > >
> > >
> > > There appears to be two ways of doing this in BIND 9.3.1.  The first
> > > would be to add the following to each zone statement.
> > >
> > >         allow-updates { none; };
> > >
> > > I'm not sure that the above syntax is correct.  The second would be to
> > > add the following to the options statement.
> > >
> > >         blackhole { 202.54.91.119; };
> > >
> > > The latter seems easier to manage but may have unexpected
> > > side-effects.  By the way, that is the IP address of the system
> > > attempting to update our DNS zones.
> > >
>
>
> Merton Campbell Crockett
>
>
>
>
> --
> BEGIN:                          vcard
> VERSION:                        3.0
> FN:                             Merton Campbell Crockett
> ORG:                            General Dynamics Advanced Information
> Systems;
>                                 Intelligence and Exploitation Systems;
>                                 IT and Engineering Support
> N:                              Crockett;Merton;Campbell
> EMAIL;TYPE=internet:            mcc at CATO.GD-AIS.COM
> TEL;TYPE=work,voice,msg,pref:   +1(805)497-5045
> TEL;TYPE=work,fax:              +1(805)497-5050
> TEL;TYPEÎll,voice,msg:        +1(805)377-6762
> END:                            vcard
>

More information about the bind-users mailing list