[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: ISC BIND Amplification Attack
On Mon, 26 Jan 2009, Brian A. Seklecki wrote:
> For those of you asking: "Why not just restrict queries of the root (.)
> hint zone to localhost?", here's why:
> 26-Jan-2009 18:49:20.175 loading configuration from '/etc/named.conf'
> 26-Jan-2009 18:49:20.182 /etc/named.conf:46: option 'allow-query' is
> not allowed in 'hint' zone '.'
> 26-Jan-2009 18:49:20.183 load_configuration: failure
You could get rid of hints (untested) and maintain your own root hints
file and use a normal zone for ".". But that still doesn't help since you
may be asked about other domains, etc from spoofed address.
On a related note, what does NetBSD offer in regards to routing for
ingress filtering of source addresses from different networks? (In the
case, where NetBSD is used as the router for the network where these bogus
DNS queries originate.)
Main Index |
Thread Index |