nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: DNS DoS ???

From: Jon Lewis <jlewis () lewis org>
Date: Sat, 30 Jul 2011 14:44:26 -0400 (EDT)
On Sat, 30 Jul 2011, Drew Weaver wrote:
my DNS servers were getting slow so I blocked recursive queries for all but my own network.
This should be the standard practice. By operating an open recursor, you lend your DNS server to abuse as a contributor to DNS reflection/amplification attacks. 

-----------------------------------------------------------------------
And at this point he may as well just ACL in-front of the recursors to prevent the traffic from hitting the servers thus reducing load needed to reject the queries on the servers themselves.
An awful lot of older/smaller deployments have single servers doing both authoratative and recursive DNS. These should be setup with either an allow-recursion { ACL;} statement or separate authoratative and recursive views limiting recursion to just those networks that should be sending recursive queries.
Another option is to run separate services bound to different individual IPs on the server. i.e. bind9 or powerdns for authoratative DNS and unbound for recursion. 

----------------------------------------------------------------------
 Jon Lewis, MCP :)           |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Previous By Date Next
Previous By Thread Next

Current thread: