According to security news, it seems that Sysadmins are becoming more and more concerned about poorly configured DNS servers, specially when recent reports show an increase of distributed denial of service attacks targeted to recursive DNS servers. Next I’ll show you some very basic tips to protect your machines against this kind of attacks.
As you probably know, a recursive DNS server (a caching DNS) tells clients the answers to queries for various DNS records. Queries not resolvable directly (non-local records) are forwarded to servers that can resolve them. Once it get answers they are stored in its cache for future use (note that this data is not cached forever).
On the other hand, a DNS server only shows to the world DNS records for a specific domain and is known to be authoritative for that domain.
Nowadays everybody with some security skills seems to agree in the importance of separating DNS caches from DNS servers. Even Bind (the most widely used DNS implementation) seems to follow this recommendation.
The easiest way to limit recursion in Bind9 is to put something like this in your config file:
options { allow-query { any; }; allow-recursion { 192.168.1.0/24; localhost; };
This will allow recursion from your internal net and from localhost. A better solution… SWITCH TO DJBDNS!!
And now some interesting links:
- Notes from DjbDNS site
- DjbDNS site
- Threats posed by DNS recursion
- If you insist in using Bind
