Comments on: Episode 4 http://www.ask-mrdns.com/2009/02/episode-4/ Matt Larson and Cricket Liu expound on DNS and other topics Sat, 04 Sep 2010 10:44:54 +0000 http://wordpress.org/?v=2.8.4 hourly 1 By: cricket http://www.ask-mrdns.com/2009/02/episode-4/comment-page-1/#comment-9 cricket Tue, 03 Feb 2009 17:45:47 +0000 http://www.ask-mrdns.com/?p=109#comment-9 Hi, Jesper. Thanks for your comment! Yes, you're quite right: If you grab a copy of the root zone's data file and configure it on your name server with an <code>allow-query { none; };</code> ACL, that ACL applies only to the contents of the root zone. An attacker can still query your name server for (for example) <em>mumble.com</em>, which is in a delegated subdomain and hence not covered by the ACL, and your name server will reply with an upward referral. I hadn't thought about that. The two suggestions we made in the podcast aren't susceptible to this, though: Disabling upward referrals disables them for any query, and <code>options { allow-query { none; }; };</code> applies the ACL to any queries outside of authoritative zones. I don't think BIND has a direct analogue to the "ignore all lame requests" feature you mention in Simple DNS Plus - that sounds handy! cricket Hi, Jesper. Thanks for your comment!

Yes, you’re quite right: If you grab a copy of the root zone’s data file and configure it on your name server with an

allow-query { none; };

ACL, that ACL applies only to the contents of the root zone. An attacker can still query your name server for (for example) mumble.com, which is in a delegated subdomain and hence not covered by the ACL, and your name server will reply with an upward referral. I hadn’t thought about that.

The two suggestions we made in the podcast aren’t susceptible to this, though: Disabling upward referrals disables them for any query, and

options {
allow-query { none; };
};

applies the ACL to any queries outside of authoritative zones.

I don’t think BIND has a direct analogue to the “ignore all lame requests” feature you mention in Simple DNS Plus – that sounds handy!

cricket

]]> By: Jesper http://www.ask-mrdns.com/2009/02/episode-4/comment-page-1/#comment-8 Jesper Tue, 03 Feb 2009 12:33:15 +0000 http://www.ask-mrdns.com/?p=109#comment-8 Glad to see Mr. DNS live and kicking! In this episode 4, you talk about how to avoid getting involved in these ongoing DDoS attacks (DNS reflection / amplification). The solution mentioned by the writer (a no-access root zone) seems a good response to the specific attack - but will of course fail as soon as the attacker starts randomizing the query name (there are some indications that this is already underway). You talk about configuring BIND not to send "additional" records - but if I understand this correctly - BIND will still respond (participate in the attack) - just with a smaller response. I think that a better solution would be to configure the name server to ignore all lame requests (requests from IP not allowed recursion, and not for name in local zone). I don't know how this is configured in BIND, but for reference, here is the config for Simple DNS Plus: http://www.simpledns.com/newsitem.aspx?id=2362 Thanks for a great pod-cast. Glad to see Mr. DNS live and kicking!
In this episode 4, you talk about how to avoid getting involved in these ongoing DDoS attacks (DNS reflection / amplification).
The solution mentioned by the writer (a no-access root zone) seems a good response to the specific attack – but will of course fail as soon as the attacker starts randomizing the query name (there are some indications that this is already underway).
You talk about configuring BIND not to send “additional” records – but if I understand this correctly – BIND will still respond (participate in the attack) – just with a smaller response.
I think that a better solution would be to configure the name server to ignore all lame requests (requests from IP not allowed recursion, and not for name in local zone).
I don’t know how this is configured in BIND, but for reference, here is the config for Simple DNS Plus: http://www.simpledns.com/newsitem.aspx?id=2362
Thanks for a great pod-cast.

]]>