In this, their first in-person podcast, Matt and Cricket examine the redundancy of the phrase “aiding and abetting,” discuss quirks in forwarding terminology, and cover two DNS-related security issues: One in which resolvers are reconfigured by malware to use open recursive name servers, and another — happening on the Internet right now — in which name servers are used as amplifiers in a DDoS attack.
Podcast: Play in new window | Download
Glad to see Mr. DNS live and kicking!
In this episode 4, you talk about how to avoid getting involved in these ongoing DDoS attacks (DNS reflection / amplification).
The solution mentioned by the writer (a no-access root zone) seems a good response to the specific attack – but will of course fail as soon as the attacker starts randomizing the query name (there are some indications that this is already underway).
You talk about configuring BIND not to send “additional” records – but if I understand this correctly – BIND will still respond (participate in the attack) – just with a smaller response.
I think that a better solution would be to configure the name server to ignore all lame requests (requests from IP not allowed recursion, and not for name in local zone).
I don’t know how this is configured in BIND, but for reference, here is the config for Simple DNS Plus: http://www.simpledns.com/newsitem.aspx?id=2362
Thanks for a great pod-cast.
Posted by Jesper on February 3rd, 2009.
Hi, Jesper. Thanks for your comment!
Yes, you’re quite right: If you grab a copy of the root zone’s data file and configure it on your name server with an
allow-query { none; };
ACL, that ACL applies only to the contents of the root zone. An attacker can still query your name server for (for example) mumble.com, which is in a delegated subdomain and hence not covered by the ACL, and your name server will reply with an upward referral. I hadn’t thought about that.
The two suggestions we made in the podcast aren’t susceptible to this, though: Disabling upward referrals disables them for any query, and
options {
allow-query { none; };
};
applies the ACL to any queries outside of authoritative zones.
I don’t think BIND has a direct analogue to the “ignore all lame requests” feature you mention in Simple DNS Plus – that sounds handy!
cricket
Posted by cricket on February 3rd, 2009.