[TriLUG] Securing Recursive DNS

Josh Vickery vickeryj at gmail.com
Tue Mar 21 08:36:40 EST 2006 

I found a very helpful link in the slashdot comments on the story about this:

http://dnsreport.com/

Not only will the above link check your domain(s) for open recursion
but it will do a number of other checks as well, some of which
surprised me.

Josh

On 3/19/06, Mike Johnson <mike at enoch.org> wrote:
> Tanner Lovelace wrote:
> > Greetings,
> >
> > It looks like people have come up with ways to use recursive DNS
> > servers to cause a distributed denial of service on other name servers[1].
> > There's nothing new here, recursive DNS servers have been the norm
> > for many, many years, but then again, so were open SMTP relays[2].
> > So, as a result, it seems that prudence would suggest that people
> > secure their DNS servers.  However, just turning off recursive DNS
> > is generally not an option because DNS doesn't work without it.
> > Instead, you need to restrict recursive DNS to just your own network.
> > Looks like good instructions for doing that with bind can be found
> > here[3].  Might as well secure now so as to not contribute to problems
> > later. :-(
>
> And people used to sneer at my split-dns setups...  If you aren't
> running BIND, your version of BIND doesn't support views, or you're
> running a DNS server that does not support the concept of recursion
> restriction based on source, there is another way: run two (or more, two
> is a minimum) DNS servers.  These could reside on a multihomed host, if
> you wanted to, but separate physical hosts would be best.  Configure one
> server as authoritative only (this is where you put all your DNS
> entries) that is publicly available and one that is recursive only that
> is only available on your local network.  Configure the recursive DNS
> server to send all requests for your domain directly to the
> authoritative server (this is so you can use bogus/test domains, if you
> want), the rest go to the root servers (or to your ISP's recursive servers).
>
> Mike
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>

More information about the TriLUG mailing list