Forward recursion. You shouldn't have to allow forward recursions from outside your internal network(s) to foriegn domains. If someone has an answer for this I would be very much pleased. Its also a difficult way to do DNS poisoning. Difficult but not impossible.
Brent Eads
Employee Technology Solutions, Inc.
The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document.
Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect.
Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material.
| "Edwin" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 10/27/2005 10:39 AM
|
|
Lets say that a DNS packet is sent across the network to a DNS server and is
"x" in size. Everything works as it should be and all is great.
But someone wants to have fun and then send out a DNS request that is "xxx"
ore greater in packet size to a DNS Server. The packets are small enough
not to come across to the DNS servers as a valid request.
DNS does not know how to resolve it so it bounces the request to a Root
Server or other configured DNS servers. The request never gets resolved
because the packet is not correct.
The end result is a DDOS on the network.
Removing forwarding is not an option in MSFT DNS (as far as I can tell).
The *nix servers do not have this problem.
I think the confusion is because I mentioned "DNS Smurfing" which is of
concern without putting emphasis on DDOS.
The internal network would still need to resolve external non authoritative
requests.
Thanks,
Edwin
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, October 27, 2005 10:35 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Forwarding
Why not use root hints instead?
<cough> in our little SBS wizard... at the screen where you are prompted
to enter dns forwarders, you hit 'cancel' and it sets up root hints
http://www.sbslinks.com/images/time.h71.gif
If you are concerned about dns forwarding... which you should be ....
you don't even want to forward from internal requests.
Us little SBS boxes are wizard recommended to DNS forwarders.. BUT... if
we forward to an upstream BIND 5 or 7... even though we look inward for
our DNS and do not expose our port 53, we are reliant on the kindness
and patching of those BIND servers.
Microsoft DNS servers since Windows 2003 sp3 [if I remember right] have
been prevented from poisoning 'to' other folks. But if we rely [forward]
on a poisoned BIND DNS server, we can get nailed.
I don't know if I ever got back to this but one of the Networking guys
walked me through setting up this
DNS:
http://www.sbslinks.com/DNS.htm
Edwin wrote:
> Is it possible within MSFT DNS to only accept DNS forwards from
> internal requests?
>
> Please consider the fact that a domain may not always be configured to
> look at internal DNS servers only. Also, it is not required for a
> domain to be used when DNS services are required. DNS may be
> configured on a machine that is for either internal or external use or
> both.
>
> If this is possible, this will help with "DNS Smurfing" attacks that
> could affect a network.
>
> If you haven't read it already, you may find the information in the
> URL http://www.measurement-factory.com/press/20051024.html useful.
> This article brings me to my question about preventing external DNS
> forwards.
>
> Thanks,
>
> Edwin
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Message scanned by TrendMicro
Message scanned by TrendMicro |
