Re: ISC BIND Amplification Attack

To: "Brian A. Seklecki" <lavalamp%spiritual-machines.org@localhost>
Subject: Re: ISC BIND Amplification Attack
From: "Jeremy C. Reed" <reed%reedmedia.net@localhost>
Date: Mon, 26 Jan 2009 18:25:55 -0600 (CST)

On Mon, 26 Jan 2009, Brian A. Seklecki wrote:

> For those of you asking: "Why not just restrict queries of the root (.)
> hint zone to localhost?", here's why:
> 
>   26-Jan-2009 18:49:20.175 loading configuration from '/etc/named.conf'
>   26-Jan-2009 18:49:20.182 /etc/named.conf:46: option 'allow-query' is
>                            not  allowed in 'hint' zone '.'
>   26-Jan-2009 18:49:20.183 load_configuration: failure

You could get rid of hints (untested) and maintain your own root hints 
file and use a normal zone for ".". But that still doesn't help since you 
may be asked about other domains, etc from spoofed address.

On a related note, what does NetBSD offer in regards to routing for 
ingress filtering of source addresses from different networks? (In the 
case, where NetBSD is used as the router for the network where these bogus 
DNS queries originate.)

References:
- ISC BIND Amplification Attack
  - From: Brian A. Seklecki
- Re: ISC BIND Amplification Attack
  - From: Jeremy C. Reed
- Re: ISC BIND Amplification Attack
  - From: Brian A. Seklecki

Prev by Date: Re: ISC BIND Amplification Attack
Next by Date: Re: ISC BIND Amplification Attack
Previous by Thread: Re: ISC BIND Amplification Attack
Next by Thread: Re: ISC BIND Amplification Attack
Indexes:

Home | Main Index | Thread Index | Old Index