Bind dns amplification attack
Grant Taylor
gtaylor at tnetconsulting.net
Tue Mar 28 16:16:51 UTC 2023
On 3/28/23 6:30 AM, Matus UHLAR - fantomas wrote:
> Great, this means that only clients with those IP addresses can query
> your server for non-local information.
I used to think the same thing.
Then I learned that I needed to also add similar configuration for
`allow-query {...};` and `allow-query-cache {...};`
The `allow-query-cache {...};` actually bit me because people were able
to get the result of recursion if it was in the cache.
allow-recursion { recclients; };
allow-query { recclients; };
allow-query-cache { recclients; };
Something to consider.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230328/f2049ebf/attachment.bin>
More information about the bind-users
mailing list