[dns-operations] Best Practices in DNS security
Paul Vixie
paul at vix.com
Fri Mar 17 18:01:23 UTC 2006
# Following the discussions of amplifying attacks, I tested our bind9.3.2
# installations. The tested config was:
#
# acl iks { 217.17.192.0/20; 2001:4bd8::/32; };
# options {
# allow-query {iks;};
# # no allow-recursion statement
# }
# ...
# authoritive zone data
#
# This configuration allows remote clients to query recursivly.
that sounds like a bind bug. for me, allow-query sets the limit on what
source addresses are not told REFUSED. note that i'm running unreleased
code, but i didn't think this was broken in earlier releases.
#sa:amd64# strings /usr/local/sbin/named | grep 'named version'
named version: BIND 9.4.0a3 (Dec 10 2005)
# After adding "allow-recursion {iks;};" to the option list, the servers do
# behave as expected: REFUSED for remote queries other than authoritive.
i suggest that you ask bind-users at isc.org about that, since it's about bind
specifically rather than dns operations in general.
More information about the dns-operations
mailing list