[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DNS DoS ???
- Subject: DNS DoS ???
- From: jlewis at lewis.org (Jon Lewis)
- Date: Sat, 30 Jul 2011 14:44:26 -0400 (EDT)
- In-reply-to: <F3318834F1F89D46857972DD4B411D700520368F4C@exchange>
- References: <CACRGtSOSPm12YE3S=n801ooun32VrXsRfP7yqO55kcHMSnss9A@mail.gmail.com> <[email protected]> <F3318834F1F89D46857972DD4B411D700520368F4C@exchange>
On Sat, 30 Jul 2011, Drew Weaver wrote:
>> my DNS servers were getting slow so I blocked recursive queries for all
>> but my own network.
>
> This should be the standard practice. By operating an open recursor,
> you lend your DNS server to abuse as a contributor to DNS
> reflection/amplification attacks.
>
> -----------------------------------------------------------------------
>
> And at this point he may as well just ACL in-front of the recursors to
> prevent the traffic from hitting the servers thus reducing load needed
> to reject the queries on the servers themselves.
An awful lot of older/smaller deployments have single servers doing both
authoratative and recursive DNS. These should be setup with either an
allow-recursion { ACL;} statement or separate authoratative and recursive
views limiting recursion to just those networks that should be sending
recursive queries.
Another option is to run separate services bound to different individual
IPs on the server. i.e. bind9 or powerdns for authoratative DNS and
unbound for recursion.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
- Follow-Ups:
- DNS DoS ???
- From: nderitualex at gmail.com (Alex Nderitu)
- References:
- DNS DoS ???
- From: efinley.lists at gmail.com (Elliot Finley)
- DNS DoS ???
- From: rdobbins at arbor.net (Dobbins, Roland)
- DNS DoS ???
- From: drew.weaver at thenap.com (Drew Weaver)