On Sat, 20 Jul 2002, Guanglong Zhang wrote: > Hello Robert, > > Hm....£¬I meet the same problem of bind9 recursive queries DOS. > Does anyone have solution? Yes. Turn off recursive queries going to your external DNS servers. They should only resolve domains that they serve, and junk anything else that comes to them. I'd also highly reccomend dumping the Buggy Internet Name Daemon and running djbdns externally, and set up DNS caches internally and pointing your machine at them. Not only is this a more robust solution, but djbdns has a perfect security record. djbdns is written by Dan Bernstein, the same person who wrote qmail. It's small, very fast, and easy to configure and maintain. In fact, since I've set it up, I have yet to have it crash or malfunction in any way -- something I can't say has been my experience with BIND. If you can't afford seperate name servers, you can still get djbdns and dnscache on the same machine by binding to different IP addresses. Relevant link: http://cr.yp.to/djbdns.html Cheers, Thomas > > Saturday, July 20, 2002, 1:27:19 AM, you wrote: > Robert Buckley> Howdy, > Robert Buckley> Does anyone have any information about exploiting binds recursive > Robert Buckley> queries [num] limitation. > Robert Buckley> One of our clients decided to do a very intensive WebTrends report, which ( > Robert Buckley> I assume ) had an option to do > Robert Buckley> dns lookups. We use a Cisco pix on the border, with 2 external and 2 > Robert Buckley> internal bind 9 systems. > > Robert Buckley> The Cisco pix contains a feature called a DNS-GUARD that will prevent the > Robert Buckley> same query being answered twice. > Robert Buckley> Another words, the 1st guy to come back with the answer to a query is let > Robert Buckley> in, anyone else is denied. > > Robert Buckley> Our firewall logs showed inbound denials from our two externals had > Robert Buckley> increased 196.x times more than normal. > Robert Buckley> AVG 400 or so to about 60 thousands plus. An investigation showed that one > Robert Buckley> single client ( The Web Trends Guy) was slamming our internal servers with > Robert Buckley> queries. > Robert Buckley> Our logging on our dns servers showed. Client Recusive Queries Quota > Robert Buckley> Reached. > > Robert Buckley> According to some research we've done, a bind server will stop answering > Robert Buckley> queries if it has the default value of 100 unanswered queries in memory. > Robert Buckley> Of course this value can be increased via an option. It seemed to me that > Robert Buckley> this type of abuse from the webtrends app, nearly caused a denial of service > Robert Buckley> on our dns. > > Robert Buckley> IMO, it would be trivial to write something to to ask 100 bogus queries that > Robert Buckley> dont get answered in time. > Robert Buckley> Anyone have a similiar experience or security information on this? > > > > > > -- > James Zhang > Manager,T.S.Dept. Marsec System Mobile: 13910526162 > Office: +8610-88087212-3004 FAX: +8610-88087300 > http://www.babygoal.com Email: glzhangat_private > PGP Public key: > ftp://ftp.babygoal.com/pub/pgpkey/glzhang.8848.net.asc > "No brain, no headache"
This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 21:11:10 PDT