nanog mailing list archives
Tightened DNS security question re: DNS amplification attacks.
From: Matthew Huff <mhuff () ox com>
Date: Tue, 27 Jan 2009 15:04:19 -0500
Given the recent DNS amplification attacks, I've audit and updated our authoritative servers. We are using 9.6.0-P1 now. I've been using the cyrmu templates, but one thing I see is that the dns queries to the . hint file are still occuring and are not being denied by our servers. For example: 27-Jan-2009 15:00:22.963 queries: client 64.57.246.146#64176: view external-in: query: . IN NS + 27-Jan-2009 15:00:23.118 queries: client 64.57.246.146#33146: view external-in: query: . IN NS + the named.conf has: ... ... ... view "external-in" in { match-clients { any; }; recursion no; additional-from-auth no; additional-from-cache no; zone "." in { type hint; file "db.cache"; }; ... ... since you can't put a "allow-query { none; };" in a hint zone, what can I do to deny the query to the . zone file? ---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
Attachment:
Matthew Huff.vcf
Description:
Attachment:
smime.p7s
Description:
Current thread:
- out-of-band access bandwidth wingying (Jan 27)
- Re: out-of-band access bandwidth Brian Wallingford (Jan 27)
- RE: out-of-band access bandwidth Michael K. Smith - Adhost (Jan 27)
- Re: out-of-band access bandwidth Steve Meuse (Jan 27)
- Tightened DNS security question re: DNS amplification attacks. Matthew Huff (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Nate Itkin (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Nate Itkin (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Douglas C. Stephens (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. John Martinez (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. jay (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Steve Pirk (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 27)
- Re: out-of-band access bandwidth Steve Meuse (Jan 27)
- RE: Tightened DNS security question re: DNS amplification attacks. [SEC=UNCLASSIFIED] David Zielezna (Jan 27)