23 Jan
2009
23 Jan
'09
12:59 p.m.
On Friday 23 January 2009 10:59:31 Duane at e164 dot org wrote:
Andy Smith wrote:
For BIND 9.3 users, look at setting "additional-from-cache no;" in your
options block. This will return a REFUSED reply instead of the additional
root list for clients who aren't permitted to recurse, massively reducing the
size of the responses.
Not sure about 9.4, but the 9.5 package in Debian Lenny that Andy was running
appeared to do this by default.
--
Dominic Cleal
dominic(a)computerkb.co.uk
I would encourage you all to firewall off your
nameservers as
appropriate. There is typically very little reason to allow the
Internet to talk to your resolver, and there have been a number of
instances recently of people working out how to poison caches and
amplify spoofed DNS traffic.
I don't think the current attacks going about matter if it's resolver or
not, as some are poorly configured and return more data then was sent
just with the root list alone.
Make sure your DNS configs are in order as well as firewall configs.