[nycbug-talk] dns abuse
max at neuropunks.org
Wed Jan 21 18:10:32 EST 2009
Miles Nordin wrote:
>>>>>> "y" == Yarema <yds at CoolRat.org> writes:
> y> In the case of this latest spoof attack it seems to me
> y> like everyone was scrambling for a way to disable answering
> y> the "." zone. Was everyone trying to figure out a way to
> y> violate "some standard" as a way of protecting their DNS
> y> servers?
> probably, yes. Both goals are semi-hysterical.
i dont believe it says anywhere that an auth dns server MUST answer to
request for root zone - it only knows about the zones its authoritative for.
If you dont want to declare a hint zone a master you can use views.
i also think firewall/router level protection like throttling is a much
better way to protect *my* servers - in this case, the victim's servers
is what needs protection. its good etiquette not to participate
in/amplify a ddos
Check out the nanog threads on the subject:
> y> So having said all that I'm now convinced that tinydns is
> y> doing the Right Thing(TM) by not replying to queries for the
> y> "." zone, because no one has any business asking my
> >> And it provides no real security because I can still do a query
> >> for something for which your server is authoritative and get it
> >> to amplify an attack.
> y> Doesn't this apply equally to any DNS server out there?
> yes, to any server including djbdns, which is my point.
> It's security through obscurity, possibly at the expense of
> standards-compliance (though possibly not. i'm still not sure whether
> it's a BIND bug, or an intentional feature complying to the letter of
> some standard or working around some resolver's corner case).
> y> The "crazed zealot" did deliver the library piece of the
> y> resolver: http://cr.yp.to/djbdns/blurb/library.html
> okay I guess I'm wrong. It's still mostly a wheel-reinvention, in
> that it preserves the BIND architecture of implementing a resolver
> through a stateless client stub library plus a recursive resolver.
> He's just stirring around the bowl full of dust a bit, arguing about
> the exact order to put function arguments or how to allocate memory.
> Even BIND's lwres is probably a more relevant re-invention than his.
> The Mac OS X and Solaris resolvers seem to include more client-side
> caching and an abstract interface that's not DNS-specific, is generic
> for looking up ``directory'' information or netinfo. In both cases
> they used this abstraction to move from their old directory protocols
> (NIS+ and Netinfo) to LDAP. and in Apple's case the hostname lookup
> part includes seamless dns-sd/zeroconf support which requires a lot of
> resolver state to be performant. I brought them up because they're
> more genuine examples of what it really means to separate the resolver
> from the server, and of what sorts of refactoring is possible once you
> do this---DNS caching gets mixed in with caching other directory data,
> and the API gets simpler and more powerful. DJB's separation is more
> just copying BIND and then applying a bunch of NIH ranting against it.
> not pointlessly, but it's just OCD screaming, not the actual
> creativity you can find among younger developers. That's why I think
> sysadmins should resist a temptation to idolize him, and sort of
> embrace all this bloated buggy modern crap a little more readily,
> learn how to recognize the good and bad among it, and exist in a world
> built from it.
> talk mailing list
> talk at lists.nycbug.org
More information about the talk