Re: ISC BIND Amplification Attack

To: "Jeremy C. Reed" <reed%reedmedia.net@localhost>
Subject: Re: ISC BIND Amplification Attack
From: "Brian A. Seklecki" <lavalamp%spiritual-machines.org@localhost>
Date: Mon, 26 Jan 2009 18:54:59 -0500 (EST)



> >   running 3.x and 2.x upgrade to BIND 9.5.x via Pkgsrc?
>
> 9.3.x and 9.4.x are fine. You can set allow-query site wide in options to
> only allow queries from your desired networks and then use "allow-query {
> any; };" in each of your public zones.
>

Nice catch.  A good work-around until an upgrade can be accomplished on a
per-organization basis.  Invert the default behvior.

For those of you asking: "Why not just restrict queries of the root (.)
hint zone to localhost?", here's why:

  26-Jan-2009 18:49:20.175 loading configuration from '/etc/named.conf'
  26-Jan-2009 18:49:20.182 /etc/named.conf:46: option 'allow-query' is
                           not  allowed in 'hint' zone '.'
  26-Jan-2009 18:49:20.183 load_configuration: failure


~BAS

Follow-Ups:
- Re: ISC BIND Amplification Attack
  - From: Jeremy C. Reed

References:
- ISC BIND Amplification Attack
  - From: Brian A. Seklecki
- Re: ISC BIND Amplification Attack
  - From: Jeremy C. Reed

Prev by Date: Re: ISC BIND Amplification Attack
Next by Date: Re: ISC BIND Amplification Attack
Previous by Thread: Re: ISC BIND Amplification Attack
Next by Thread: Re: ISC BIND Amplification Attack
Indexes:

Home | Main Index | Thread Index | Old Index