On 2012-06-18 9:49 AM, Stephane Bortzmeyer wrote: > On Tue, Jun 12, 2012 at 08:15:00PM +0000, > Paul Vixie <p...@redbarn.org> wrote > a message of 21 lines which said: > >> [recursive servers are] a separate problem, and most of the time the >> fix is to add an ACL to deny off-net or off-campus query traffic. > > If you don't do ingress filtering, it still allows people to attack > your users (they can send from the outside a "ANY ripe.net" query > claiming to be from a local machine).
if you want to resist spoofed-source attacks, there's a suite of necessary countermeasures, one of which is to lock down every UDP app you have to make sure they are either only available within your own network (so, an ACL) or are rate limited (as the DNS RRL patch for BIND9(*) seems able to do, but as google dns and opendns also do.) importantly, you must also drop any packet whose source address isn't correct for the input interface. this means (as above) dropping packets from outside your network which purport to be from inside your network; more commonly it means dropping packets from inside your network which purport to be from outside your network. this is covered in BCP38 and BCP84(*) and to a lesser extent SAC004(*). paul (*) http://www.redbarn.org/dns/ratelimits http://tools.ietf.org/html/bcp38 http://tools.ietf.org/html/bcp84 http://archive.icann.org/en/committees/security/sac004.txt _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
