Recursion question + trust?

Mark Andrews Mark_Andrews at isc.org
Mon Mar 27 14:24:49 UTC 2006 

> It seems that the advice at the moment is to disable recursion to everyone ap
> art from customers, the reasoning being that customers are trustworthy and wo
> n't poison or knowingly poison the DNS server.
> Since this isn't true, I don't know what to do.
> 
> I read this on webhostingtalk:
> 
> "For example, I'm a spammer. I create a hostname for spam, something.myspam.t
> ld.
> 
> After that, I query your DNS server to resolve the host something.myspam.tld.
>  It resolves that host and stores the info in its cache. All further requests
>  for that host do not result in propagated lookups but are answered by the se
> rver from its cache, until the exipration for the zone occurs.
> 
> After that, I set your DNS server as the authoritative server for my zone wit
> h the domain registrar.
> 
> After that, I start sending spam.
> 
> Now, you are screwed because it looks as if your DNS server is being used for
>  spam. "
> 
> 
> If this is true, how can I possibly guard against it (without allowing custom
> ers to poison the dns)?
> What do (or maybe "should" is better word) big ISPs do?

	You set your access controls appropriately so only the
	recusive-clients can see the cache.  Block queries at
	the options level and allow them at the zone level.

		acl recusive-clients { .... };

		options {
			allow-recusion { recusive-clients; };
			allow-query { recusive-clients; };
		};

		zone example.com {
			....
			allow-query { any; };
		};

	If the domain registrar was doing their job they would be
	checking that the zone was being served by your servers
	before allowing the registration changes to proceed.

	i.e.
	     that they get two authoritative answers for the zone
	with non-zero ttls from each of the servers.

	If they did the checks then the above scam wouldn't work.
	It would also catch lots of silly configuration errors
	leading to a more reliable DNS.

	Similarly the registry should be demanding that the above
	checks are being performed.  Some registries do this but
	not all.

	Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list