Hi Colin, > We always have recursion off. > > This does not stop ANY? queries as Michael pointed out.
Exactly. Let me elaborate a bit on that point, as I might have missed doing so in my earlier message: On an "open" DNS server that allows recursion, you can send an ANY? request for a very large DNS zone file. Like the one from Google, Amazon (to name companies) or <gasp> the entire RIPE root zone or another large one. That tiny ANY? request will be around 56 bytes long, but your DNS server will reply with a large clunker of data. Which - if the source UDP address is spoofed - hits an innocent bystander right in the face. If you turn recursion off, ANY? requests for zones your DNS server is not authoritative for will be rejected. So your DNS server can't be used to slap someone over the head with the RIPE zone. However, your DNS server will still respond to ANY? requests that it is authoritative for. These are a lot smaller than root zone files and their immediate children. But they're still sufficiently larger than the initial UDP request that was sent to you. So any DNS server that's not allowing recursion, but responds to query-requests can still be used as tool in a DDoS attack. This is no hypothetical scenario, as I see it on a daily basis. There are a few remedies to this. You can throw iptables 'recent' at it, can modify fail2ban (or similar) to parse more verbose DNS logfiles for ANY requests, can use a DNS-proxy to filter out or limit ANY? requests and a few other improvisations. However, they're all band aids. The fundamental problem is that design flaw in Bind. It's neither sensible nor wise to allow thousands of ANY? requests from the same source in a short amount of time. So the rate-limit patch that was suggested needs to finally make it into Bind - ASAP. And/or upstream has to roll out the patched versions of Bind for this. I'm contemplating of rolling a modified Bind out for BlueOnyx, which incorporates said patch. But I'm hoping that the Bind makers and upstream come to senses soon and just do what has to be done. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx