[TriLUG] Securing Recursive DNS

Tanner Lovelace clubjuggler at gmail.com
Thu Mar 16 15:55:34 EST 2006


Greetings,

It looks like people have come up with ways to use recursive DNS
servers to cause a distributed denial of service on other name servers[1].
There's nothing new here, recursive DNS servers have been the norm
for many, many years, but then again, so were open SMTP relays[2].
So, as a result, it seems that prudence would suggest that people
secure their DNS servers.  However, just turning off recursive DNS
is generally not an option because DNS doesn't work without it.
Instead, you need to restrict recursive DNS to just your own network.
Looks like good instructions for doing that with bind can be found
here[3].  Might as well secure now so as to not contribute to problems
later. :-(

Cheers,
Tanner

[1] http://news.yahoo.com/s/ap/20060316/ap_on_hi_te/internet_attack
[2] http://www.webmasterworld.com/forum23/4488.htm
[3] http://www.cymru.com/Documents/secure-bind-template.html

--
Tanner Lovelace
clubjuggler at gmail dot com
http://wtl.wayfarer.org/
(fieldless) In fess two roundels in pale, a billet fesswise and an
increscent, all sable.



More information about the TriLUG mailing list