[dns-operations] Best Practices in DNS security

Paul Vixie paul at vix.com
Fri Mar 17 18:01:23 UTC 2006


# Following the discussions of amplifying attacks, I tested our bind9.3.2
# installations. The tested config was:
#   
#   acl iks { 217.17.192.0/20; 2001:4bd8::/32; };
#   options {
#     allow-query {iks;};
#     # no allow-recursion statement
#   }
#   ...
#   authoritive zone data
# 
# This configuration allows remote clients to query recursivly.

that sounds like a bind bug.  for me, allow-query sets the limit on what
source addresses are not told REFUSED.  note that i'm running unreleased
code, but i didn't think this was broken in earlier releases.

#sa:amd64# strings /usr/local/sbin/named | grep 'named version'
named version: BIND 9.4.0a3 (Dec 10 2005)

# After adding "allow-recursion {iks;};" to the option list, the servers do
# behave as expected: REFUSED for remote queries other than authoritive.

i suggest that you ask bind-users at isc.org about that, since it's about bind
specifically rather than dns operations in general.



More information about the dns-operations mailing list