Tightened DNS security question re: DNS amplification attacks.
Matthew Huff
mhuff at ox.com
Tue Jan 27 20:04:19 UTC 2009
Given the recent DNS amplification attacks, I've audit and updated our
authoritative servers. We are using 9.6.0-P1 now. I've been using the cyrmu
templates, but one thing I see is that the dns queries to the . hint file
are still occuring and are not being denied by our servers. For example:
27-Jan-2009 15:00:22.963 queries: client 64.57.246.146#64176: view
external-in: query: . IN NS +
27-Jan-2009 15:00:23.118 queries: client 64.57.246.146#33146: view
external-in: query: . IN NS +
the named.conf has:
...
...
...
view "external-in" in {
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "." in {
type hint;
file "db.cache";
};
...
...
since you can't put a "allow-query { none; };" in a hint zone, what can I do
to deny the query to the . zone file?
----
Matthew Huff | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Matthew Huff.vcf
Type: application/octet-stream
Size: 1595 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090127/1df0e2aa/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4229 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090127/1df0e2aa/attachment.bin>
More information about the NANOG
mailing list