[TriLUG] Securing Recursive DNS
mike at enoch.org
Sun Mar 19 17:40:00 EST 2006
Tanner Lovelace wrote:
> It looks like people have come up with ways to use recursive DNS
> servers to cause a distributed denial of service on other name servers.
> There's nothing new here, recursive DNS servers have been the norm
> for many, many years, but then again, so were open SMTP relays.
> So, as a result, it seems that prudence would suggest that people
> secure their DNS servers. However, just turning off recursive DNS
> is generally not an option because DNS doesn't work without it.
> Instead, you need to restrict recursive DNS to just your own network.
> Looks like good instructions for doing that with bind can be found
> here. Might as well secure now so as to not contribute to problems
> later. :-(
And people used to sneer at my split-dns setups... If you aren't
running BIND, your version of BIND doesn't support views, or you're
running a DNS server that does not support the concept of recursion
restriction based on source, there is another way: run two (or more, two
is a minimum) DNS servers. These could reside on a multihomed host, if
you wanted to, but separate physical hosts would be best. Configure one
server as authoritative only (this is where you put all your DNS
entries) that is publicly available and one that is recursive only that
is only available on your local network. Configure the recursive DNS
server to send all requests for your domain directly to the
authoritative server (this is so you can use bogus/test domains, if you
want), the rest go to the root servers (or to your ISP's recursive servers).
More information about the TriLUG