On Jan 19, 2009, at 5:02 AM, Leonardo Rodrigues Magalhães wrote:
Nathan Ollerenshaw escreveu:
I have an Authoritative BIND server. It is configured to only allow
recursive queries from localhost, with recursion disabled for any
remote clients.
If you attempt to perform a recursive query against this server, it
will respond with a "query refused" packet, as this is what BIND does
if you try to recursively query a server configured to disallow
recursive queries.
[ ........ ]
Any ideas? Anyone facing this same problem found a solution? I'd be
glad to hear it :)
if you're running authoritative only for localhost and is not
answering network requests at all, then you could probably firewall
incoming packets to UDP 53 port !!! Let the responses in, let the new
requests out.
i cant imagine anything simplier than that.
If you need 53 to answer for authoritative zones, you could run two
bind instances, one for your caching server,
the other for the authoritative data. Then a firewall or instance-wide
black-hole config would take care of it.
Not too inspired a solution, but it's all I can think of.
I fear that what you are seeing is difficult to handle, thus may well
become only more popular as time passes,
especially if it really does cause trouble for the victim. If the
traffic is negligible for you, then does it really
hurt the victim? How would they be harmed? Is the victim someone who
queries your authoritative
server enough to get some confusing "hits" of matching port, ID, and
server of outstanding queries? Even if you
block recursive error returns, would an attack using valid
authoritative answers be equally harmful to the victim?
John
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
