tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ISC BIND Amplification Attack

On Mon, 26 Jan 2009, Brian A. Seklecki wrote:

> For those of you asking: "Why not just restrict queries of the root (.)
> hint zone to localhost?", here's why:
>   26-Jan-2009 18:49:20.175 loading configuration from '/etc/named.conf'
>   26-Jan-2009 18:49:20.182 /etc/named.conf:46: option 'allow-query' is
>                            not  allowed in 'hint' zone '.'
>   26-Jan-2009 18:49:20.183 load_configuration: failure

You could get rid of hints (untested) and maintain your own root hints 
file and use a normal zone for ".". But that still doesn't help since you 
may be asked about other domains, etc from spoofed address.

On a related note, what does NetBSD offer in regards to routing for 
ingress filtering of source addresses from different networks? (In the 
case, where NetBSD is used as the router for the network where these bogus 
DNS queries originate.)

Home | Main Index | Thread Index | Old Index