[111042] in North American Network Operators' Group
Re: Tightened DNS security question re: DNS amplification
daemon@ATHENA.MIT.EDU (jay@miscreant.org)
Tue Jan 27 16:42:50 2009
Date: Wed, 28 Jan 2009 08:42:39 +1100
From: jay@miscreant.org
To: Matthew Huff <mhuff@ox.com>
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9830CC657D3@PUR-EXCH07.ox.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Quoting Matthew Huff <mhuff@ox.com>:
> Given the recent DNS amplification attacks, I've audit and updated our
> authoritative servers. We are using 9.6.0-P1 now. I've been using the cyrm=
u
> templates, but one thing I see is that the dns queries to the . hint file
> are still occuring and are not being denied by our servers. For example:
>
> 27-Jan-2009 15:00:22.963 queries: client 64.57.246.146#64176: view
> external-in: query: . IN NS +
> 27-Jan-2009 15:00:23.118 queries: client 64.57.246.146#33146: view
> external-in: query: . IN NS +
>
> the named.conf has:
>
> ...
> ...
> ...
>
> view "external-in" in {
> match-clients { any; };
> recursion no;
> additional-from-auth no;
> additional-from-cache no;
>
> zone "." in {
> type hint;
> file "db.cache";
> };
> ...
> ...
>
> since you can't put a "allow-query { none; };" in a hint zone, what can I =
do
> to deny the query to the . zone file?
>
>
>
> ----
> Matthew Huff=A0=A0=A0=A0=A0=A0 | One Manhattanville Rd
> OTA Management LLC | Purchase, NY 10577
> http://www.ox.com | Phone: 914-460-4039
> aim: matthewbhuff=A0 | Fax:=A0=A0 914-460-4139
>
Hi Matthew,
I'm using the following with 9.5.1:
view "external" {
recursion no;
allow-query-cache { none; };
zone "." IN {
type hint;
file "/var/named/named.ca";
And my logs indicate that the requests for . IN NS are being denied:
Jan 28 08:40:38 web1 named[12337]: client 64.57.246.146#33453: view =20
external: query (cache) './NS/IN' denied
Jan 28 08:40:39 web1 named[12337]: client 67.192.144.0#41794: view =20
external: query (cache) './NS/IN' denied
Cheers,
Jay
