[TriLUG] Securing Recursive DNS

[Mike Johnson]

Tanner Lovelace wrote:
> Greetings,
> 
> It looks like people have come up with ways to use recursive DNS
> servers to cause a distributed denial of service on other name servers[1].
> There's nothing new here, recursive DNS servers have been the norm
> for many, many years, but then again, so were open SMTP relays[2].
> So, as a result, it seems that prudence would suggest that people
> secure their DNS servers.  However, just turning off recursive DNS
> is generally not an option because DNS doesn't work without it.
> Instead, you need to restrict recursive DNS to just your own network.
> Looks like good instructions for doing that with bind can be found
> here[3].  Might as well secure now so as to not contribute to problems
> later. :-(

And people used to sneer at my split-dns setups...  If you aren't 
running BIND, your version of BIND doesn't support views, or you're 
running a DNS server that does not support the concept of recursion 
restriction based on source, there is another way: run two (or more, two 
is a minimum) DNS servers.  These could reside on a multihomed host, if 
you wanted to, but separate physical hosts would be best.  Configure one 
server as authoritative only (this is where you put all your DNS 
entries) that is publicly available and one that is recursive only that 
is only available on your local network.  Configure the recursive DNS 
server to send all requests for your domain directly to the 
authoritative server (this is so you can use bogus/test domains, if you 
want), the rest go to the root servers (or to your ISP's recursive servers).

Mike