[dns-operations] Best Practices in DNS security
Lutz Donnerhacke
lutz at iks-jena.de
Fri Mar 17 08:17:46 UTC 2006
* Paul Vixie wrote:
> some answers based on my BIND9 experiences.
>
> i've found that the best thing to do is an allow-query directive listing
> the local address space. firewalls can theoretically be better, but are
> usually harder to reconfigure when new "inside" address space is added.
>
> note that there is an allow-recursion ACL that doesn't do what most folks
> think it does. this ACL will prevent recursion from being done on behalf
> of non-ACL-matching source addresses, but still gives access to authority
> data or previously-cached recursive data. my advice is, don't use this.
Following the discussions of amplifying attacks, I tested our bind9.3.2
installations. The tested config was:
acl iks { 217.17.192.0/20; 2001:4bd8::/32; };
options {
allow-query {iks;};
# no allow-recursion statement
}
...
authoritive zone data
This configuration allows remote clients to query recursivly.
After adding "allow-recursion {iks;};" to the option list, the servers do
behave as expected: REFUSED for remote queries other than authoritive.
More information about the dns-operations
mailing list