DDOS prevention - how to restrict queries to hint (root) zones?
Mark Andrews
Mark_Andrews at isc.org
Tue Feb 3 11:17:35 UTC 2009
In message <1233658532.12933.42.camel at muccalla.uninsubria.it>, MAtteo HCE Valsa
sna writes:
> hi all,
>
> We run BIND 9.3.4-P1.1 on Debian GNU/Linux 4.0 (using the distribution's
> package), that do both recursive queries for internal clients (with
> proper allow-recursion clause) and authoritative servers for the
> institution's domain.
>
>
> There are reports of DDOS attacks based on DNS requests for the root
> zone with spoofed source IP address:
> * the attacker sends a request for the root zone with spoofed source
> address to a DNS server
> * The intermediate victim (DNS server) sends the reply packet -
> significatively larger than the request - to the ultimate victim (the
> owner of the spoofed source IP address in the request packet).
> * the ultimate victim connection is flooded
>
> http://isc.sans.org/diary.html?storyid=5773
>
>
> I verified that our servers reply when queried from a non-trusted source
> address for the root zone. (and we must also notice that the
> "non-trusted source address" argument is pretty pointless when dealing
> with spoofed source addresses: if a query with a spoofed internal source
> address could reach the server, the server would just DDOS an internal
> machine. But we do discard inbound packets with internal source IP
> addresses on the network border).
>
> The first answer to this threat would be to disallow queries for the
> root zone would for any client (the root zone is used only by the server
> itself, right?).
>
> * Do you think there is any reason NOT do do this?
>
> * Do you know a simple way to do this?
>
> the trivial solution of adding an allow-query clause to the root
> zone definition is refused by the server, as hint type zones
> cannot have an allow-query clause - see
> https://lists.isc.org/pipermail/bind-users/2006-January/061077.html
>
> there is possibly a way to do this using views, but...
> anything simpler?
options {
allow-query { recusrsive-clients; };
allow-recursion { recusrsive-clients; };
};
zone {
type (slave|master);
...
allow-query { any; };
};
Or upgrade to BIND 9.4 or later and use allow-query-cache,
BIND 9.3 is past end-of-life.
Mark
> best regards and thanks for any answer
>
>
> MAtteo Valsasna
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list