why not? beter handled by isc and done in a clean way then 1.000.000 of
dirty ways as these ;)
-------------------------------
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT NetWork & Security Department
*-* *-* *-*
SECURITY IS EVERYONE'S BUSINESS
Member of
IBM Information Security WW CoP
Mark Andrews <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
04/12/2008 00.26
To
[EMAIL PROTECTED]
cc
Subject
Re: Dropping external recursive requests
One needs to be really, really careful here. There are lots of
unverifiable assumptions in the OP query. Also rd being set my
just be the result of someone testing with a tool which sets rd by
default.
Going silent on a query reponses protocol is not a good idea. There
are already too many firewalls / nameservers that do this to
legitimate queries. We really don't want to encourage this sort
of behaviour.
If it is a forged packet it should be dropped regardless of the setting
of RD. If the only reason to think the packet is forged is the setting
of RD=1 then the OP has committed a reasoning error.
Mark
In message <[EMAIL PROTECTED]>, Chris Buxton
writes:
> That ought to work, and work well.
>
> This will not impact outside name servers that query your name server,
> because they send iterative queries. If they're sending recursive
> queries, they're abusing your server. I can't see any problems with this
> approach.
>
> If you have authoritative data in the third view, make sure that when
> the first view wants to look it up, its iterative query to the server
> machine itself is routed through to the third view (rather than being
> captured by the first view).
>
> Chris Buxton
> Men & Mice
>
> On Tue, 2008-12-02 at 17:10 -0800, [EMAIL PROTECTED] wrote:
> > Our DNS server occasionally get requests for recursion with forged src
> > addresses.
> > Currently our server returns "Standard query response, Refused" since
> > our named.conf
> > only allows recursion for our internal machines. This, of course,
> > results in the poor
> > machine whose address was forged receiving spurious traffic.
> >
> > Some of the Cisco firewalls support DNS inspection and can be
> > configured to drop
> > requests which want recursion. What are the ramifications of enabling
> > this?
> >
> > Can bind be configured to do this? I was thinking about something
> > like:
> >
> > view "internal" {
> > match-clients { localhost; localnets; };
> > ...
> > }
> >
> > view "external-recursive" {
> > match-clients { any; };
> > match-recursive-only yes;
> > blackhole { any};
> > }
> >
> > view "external" {
> > ...
> > }
> >
> > -- John
> > [EMAIL PROTECTED]
> > _______________________________________________
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
