[143138] in North American Network Operators' Group
RE: DNS DoS ???
daemon@ATHENA.MIT.EDU (Jon Lewis)
Sat Jul 30 14:44:38 2011
Date: Sat, 30 Jul 2011 14:44:26 -0400 (EDT)
From: Jon Lewis <jlewis@lewis.org>
To: NANOG list <nanog@nanog.org>
In-Reply-To: <F3318834F1F89D46857972DD4B411D700520368F4C@exchange>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sat, 30 Jul 2011, Drew Weaver wrote:
>> my DNS servers were getting slow so I blocked recursive queries for all
>> but my own network.
>
> This should be the standard practice. By operating an open recursor,
> you lend your DNS server to abuse as a contributor to DNS
> reflection/amplification attacks.
>
> -----------------------------------------------------------------------
>
> And at this point he may as well just ACL in-front of the recursors to
> prevent the traffic from hitting the servers thus reducing load needed
> to reject the queries on the servers themselves.
An awful lot of older/smaller deployments have single servers doing both
authoratative and recursive DNS. These should be setup with either an
allow-recursion { ACL;} statement or separate authoratative and recursive
views limiting recursion to just those networks that should be sending
recursive queries.
Another option is to run separate services bound to different individual
IPs on the server. i.e. bind9 or powerdns for authoratative DNS and
unbound for recursion.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
