[80804] in North American Network Operators' Group
Re: Malicious DNS request?
daemon@ATHENA.MIT.EDU (Brad Knowles)
Thu May 12 11:52:11 2005
In-Reply-To: <200505121526.j4CFQm8t012695@turing-police.cc.vt.edu>
Date: Thu, 12 May 2005 17:48:27 +0200
To: Valdis.Kletnieks@vt.edu
From: Brad Knowles <brad@stop.mail-abuse.org>
Cc: Brad Knowles <brad@stop.mail-abuse.org>,
Gadi Evron <ge@linuxbox.org>, Joe Shen <joe_hznm@yahoo.com.sg>,
NANGO <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
At 11:26 AM -0400 2005-05-12, Valdis.Kletnieks@vt.edu wrote:
> It's often suggested that you have *two* DNS setups - one that only answers
> requests from inside for recursion and caching, and an authoritative one that
> faces out and refuses to recurse.
The original question from Joe Shen said that a remote computer
was asking questions about certain servers, but did not specify
whether or not the "remote computer" in question was a customer.
Gadi's response was to refuse to answer requests for domains that you
don't own, which didn't address the issue of whether or not the
"remote computer" was a customer, or what kind of server that Joe was
running.
Your answer is the complete and correct one, at least for the
technical issue of how you should br running your nameservers so that
you avoid external abuse and reduce the probability of having your
DNS servers compromised.
It's taken us a while to get to this correct and complete answer, however.
--
Brad Knowles, <brad@stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
