DNS "Zone Update" Attack
base60
nobody at whitehouse.com
Thu Dec 1 02:10:28 UTC 2005
Merton Campbell Crockett wrote:
> On Tue, 29 Nov 2005, Stefan Puiu wrote:
>
>
>>I think the default in BIND 9.3.1 is to not allow any DDNS updates, so no
>>change is required from the default. You have to explicitly state some
>>update-policy or allow-update statement in order to permit updates.
>
>
> Understood. The dynamic DNS update requests were being rejected; however,
> the activity did consume resources.
Many windows systems attempt to do this by default.
>
> A complicating factor is that our IT department insisted that I move the
> external name server from a BSD/OS to a Linux -based system. The latter
> isn't POSIX thread compliant or, at least, I assume its still not
> compliant as BIND complains that it is not able to take advantage of the
> dual-processor hardware.
>
> I do not intend to honour dynamic DNS update requests on this server. I
> want to minimise the resources needed to log the event and terminate the
> request as quickly as possible.
>
> So, the question boils down to what is the best way to terminate DNS
> requests that you do not intend to support?
The allow-updates is off by default, but explicitly adding it doesn't
hurt.
"blackhole" tosses the request, but you could do the same with a null
route "route add 202.54.91.119 localhost -reject" which would eliminate
it prior to it hitting bind.
>
>
>
>
>>On 11/29/05, Merton Campbell Crockett <mcc at cato.gd-ais.com> wrote:
>>
>>>
>>>There appears to be two ways of doing this in BIND 9.3.1. The first
>>>would be to add the following to each zone statement.
>>>
>>> allow-updates { none; };
>>>
>>>I'm not sure that the above syntax is correct. The second would be to
>>>add the following to the options statement.
>>>
>>> blackhole { 202.54.91.119; };
>>>
>>>The latter seems easier to manage but may have unexpected
>>>side-effects. By the way, that is the IP address of the system
>>>attempting to update our DNS zones.
>>>
>
>
>
> Merton Campbell Crockett
>
>
>
>
More information about the bind-users
mailing list