tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ISC BIND Amplification Attack

> >   running 3.x and 2.x upgrade to BIND 9.5.x via Pkgsrc?
> 9.3.x and 9.4.x are fine. You can set allow-query site wide in options to
> only allow queries from your desired networks and then use "allow-query {
> any; };" in each of your public zones.

Nice catch.  A good work-around until an upgrade can be accomplished on a
per-organization basis.  Invert the default behvior.

For those of you asking: "Why not just restrict queries of the root (.)
hint zone to localhost?", here's why:

  26-Jan-2009 18:49:20.175 loading configuration from '/etc/named.conf'
  26-Jan-2009 18:49:20.182 /etc/named.conf:46: option 'allow-query' is
                           not  allowed in 'hint' zone '.'
  26-Jan-2009 18:49:20.183 load_configuration: failure


Home | Main Index | Thread Index | Old Index