On 22 January 2014 05:29, LuKreme <krem...@kreme.com> wrote:
> OK, so in order to lock down your server agains DDOS DNS attacks you need to
> restrict the access to the recursive lookup, yes? But if you set 'recursion
> no;' then your own servers will not lookup IP addresses for, for example, you
> mail server to check reject_unknown_reverse_client_hostname or related.
> Looking at that, if I am reading it correctly, I should have
> allow-recursion { "localnets"; }
So yes that is an option to restrict which IPs can perform recursion
by using an ACL. A better option (and better overall design) would be
to split your DNS servers, leave the current DNS servers as
authoritative only and install a second set of DNS servers as a
caching layer allowing recursion and do not have any direct inbound
access from the Internet. All internal clients point to the caching
layer.
> in the options on the master and slave DNS servers (along with any other
> specific IPs that I want to/need to allow). Given the risks in allowing
> recursion for the wilds of the Internet, how are companies like Google able
> to allow access to 8.8.8.8 and 8.8.4.4 without being used for these DDOS
> attacks?
Well they probably are being subjected to DDoS all the time, but
Google uses their own DNS implementation so more than likely they have
written in functionality to rate-limit and block specific
clients/requests. They also have a lot of bandwidth and they have a
lot of servers, using Anycast for distribution.
http://en.wikipedia.org/wiki/Google_Public_DNS
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
