BIND: limiting recursion just might make things harder for spammers

Sun Nov 17 16:19:25 PST 2002

A few days ago, when the recent BIND advisories came out, one of the
folks on one of the FreeBSD mailing lists suggested that limiting
permitted recursive queries against one's nameserver to "trusted"
machines -- such as "only the local net" -- would help mitigate the
exposure, and was a good idea in any case.

I generally prefer to take "mere configuration" steps as "triage"
for these sorts of things, and let things settle out for a little
while (often, a day or two) before actually replacing code.  And
in this case, I was planning to upgrade to a more recent snapshot
of FreeBSD-STABLE today in any case (which I've done, as of this
morning), so I figured that limiting recursion would probably be
adequate for my case.  (Most of the exposure, as I understand it,
was in the DNSSEC stuff, and I'm not doing that anyhow.)

After adding

	allow-recursion {
		127.0.0.1;
		172.16.0.0/15;
	};

to the global "options" stanza for named.conf & telling named to re-read
that file, I noticed that I was logging quite a few "denied recursion
for query" messages.  (I use 172.16.0.0/15 for my internal networks, and
the box that does the externally-visible nameservice has FreeBSD's ipfw
set up to (among other things) block all traffic involving RFC 1918 nets
on the external NIC.)

I rather wondered who would be trying to use my nameserver to get
information about some domain other than one for which ns.catwhisker.org
is authoritative, so I did a few WHOIS & DNS queries... and I started
seeing names I have come to associate with spams that I've seen.  For
example:

63.178.112.154		sdn-ar-005nctarbP264.dialsprint.net
167.89.225.99		dsl-sj-167-89-225-99.broadviewnet.net

So I have no idea how much that's affecting the spammers, but I'm fairly
certain that restricting the recursion-allowed queries has not made
their misdeeds any easier ... and that is something I found so
encouraging that I felt compelled to share it with y'all.

Cheers,
david
-- 
David H. Wolfskill				david at catwhisker.org
I have no confidence in results obtained through the use of Microsoft
products.