[nycbug-talk] dns abuse

Andy Kosela akosela at andykosela.com
Tue Jan 20 06:38:24 EST 2009


Max Gribov <max at neuropunks.org> wrote:

> Miles Nordin wrote:
> > but the usual fix is to limit recursive service to your own ip's:
> > options {
> >         /* fucking chinese pointing themselves at me */
> >         allow-recursion { fw; };
> >   
> hmm, thats what i had there before, since the jails use the master for 
> their dns server, so recursion was allowed to their ip's.

Disabling recursion to hosts outside of your LAN is the first step in
securing your DNS server.  Otherwise you are prone to DoS and/or DNS
cache poisoning attacks.  I think the recent patches from ISC randomizes
QID to the point it is extremely difficult to launch this attack
successfully, but theoretically it is still possible, since the UDP
protocol is so insecure.

--Andy



More information about the talk mailing list