[TriLUG] Securing Recursive DNS

Jon Carnes jonc at nc.rr.com
Thu Mar 16 16:32:05 EST 2006


Excellent advice!
Thanks Tanner.

On Thu, 2006-03-16 at 15:55, Tanner Lovelace wrote:
> Greetings,
> 
> It looks like people have come up with ways to use recursive DNS
> servers to cause a distributed denial of service on other name servers[1].
> There's nothing new here, recursive DNS servers have been the norm
> for many, many years, but then again, so were open SMTP relays[2].
> So, as a result, it seems that prudence would suggest that people
> secure their DNS servers.  However, just turning off recursive DNS
> is generally not an option because DNS doesn't work without it.
> Instead, you need to restrict recursive DNS to just your own network.
> Looks like good instructions for doing that with bind can be found
> here[3].  Might as well secure now so as to not contribute to problems
> later. :-(
> 
> Cheers,
> Tanner
> 
> [1] http://news.yahoo.com/s/ap/20060316/ap_on_hi_te/internet_attack
> [2] http://www.webmasterworld.com/forum23/4488.htm
> [3] http://www.cymru.com/Documents/secure-bind-template.html
> 
> --
> Tanner Lovelace
> clubjuggler at gmail dot com
> http://wtl.wayfarer.org/
> (fieldless) In fess two roundels in pale, a billet fesswise and an
> increscent, all sable.




More information about the TriLUG mailing list