Domain Name System protection
Bruce Pinsky
bep at whack.org
Mon Aug 16 19:40:55 UTC 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Suresh Ramasubramanian wrote:
|
| Joe Shen wrote:
|
|> We noticed there is continous name resolution requests
|> from IP address outside of our address pool and also
|> there is requests not conforming to DNS documents (
|> like those from 10/8, 192.168/16 or something for
|> microsoft proxy server name). We think these request
|> waste our resource and we don't want these system
|> stable, secure and high performance.
|
|
| If the resolver caches are only supposed to be accessed from your IP
| space, I am sure you can easily throw in a router ACL to accept
| connections on port 53 only from these IPs.
|
| Oh, and filter out bogons at your borders while you are at it (like for
| example rfc1918 source addresses from outside your network)
|
And check out the CYMRU Secure Bind template at
http://www.cymru.com/Documents/secure-bind-template.html
- --
=========
bep
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFBIQ3HE1XcgMgrtyYRAuAXAJ4z6GI+X7nPL3wZZ2kvB30YGQ+B/QCeIagA
mqIz2gcRVeY+g2LVBjLc6dQ=
=iAkf
-----END PGP SIGNATURE-----
More information about the NANOG
mailing list