BIND: limiting recursion just might make things harder for spammers
Dmitry Kohmanyuk
dk at farm.org
Sun Nov 17 17:02:27 PST 2002
On Sun, Nov 17, 2002 at 04:19:25PM -0800, David Wolfskill wrote:
> I generally prefer to take "mere configuration" steps as "triage"
> for these sorts of things, and let things settle out for a little
> while (often, a day or two) before actually replacing code. And
> in this case, I was planning to upgrade to a more recent snapshot
> of FreeBSD-STABLE today in any case (which I've done, as of this
> morning), so I figured that limiting recursion would probably be
> adequate for my case. (Most of the exposure, as I understand it,
> was in the DNSSEC stuff, and I'm not doing that anyhow.)
Not sure that FreeBSD -stable has latest bind since the
8.3.4 release promised last week as a remedy for this problem
only appeared on ftp.isc.org on today's night:
ftp> rstatus
211-isrv4.isc.org FTP server status:
Version wu-2.6.1(5) Tue Jul 10 12:19:10 PDT 2001
...
211 End of status
ftp> pwd
257 "/isc/bind/src/8.3.4" is current directory.
ftp> ls
227 Entering Passive Mode (204,152,184,27,46,22)
150 Opening ASCII mode data connection for /bin/ls.
total 4420
-rw-rw-r-- 1 10132 9996 362 Nov 17 05:35 MD5
-rw-rw-r-- 1 10132 9996 1608657 Nov 17 05:35 bind-contrib.tar.gz
-rw-rw-r-- 1 10132 9996 366 Nov 17 05:35 bind-contrib.tar.gz.asc
-rw-rw-r-- 1 10132 9996 1490246 Nov 17 05:35 bind-doc.tar.gz
-rw-rw-r-- 1 10132 9996 366 Nov 17 05:35 bind-doc.tar.gz.asc
-rw-rw-r-- 1 10132 9996 1413654 Nov 17 05:35 bind-src.tar.gz
-rw-rw-r-- 1 10132 9996 366 Nov 17 05:35 bind-src.tar.gz.asc
226 Transfer complete.
> After adding
>
> allow-recursion {
> 127.0.0.1;
> 172.16.0.0/15;
> };
>
> to the global "options" stanza for named.conf & telling named to re-read
> that file, I noticed that I was logging quite a few "denied recursion
> for query" messages. (I use 172.16.0.0/15 for my internal networks, and
> the box that does the externally-visible nameservice has FreeBSD's ipfw
> set up to (among other things) block all traffic involving RFC 1918 nets
> on the external NIC.)
>
> I rather wondered who would be trying to use my nameserver to get
> information about some domain other than one for which ns.catwhisker.org
> is authoritative, so I did a few WHOIS & DNS queries... and I started
> seeing names I have come to associate with spams that I've seen. For
> example:
>
> 63.178.112.154 sdn-ar-005nctarbP264.dialsprint.net
> 167.89.225.99 dsl-sj-167-89-225-99.broadviewnet.net
you can enable query logging to see which names they are trying to resolve...
but be careful - logs can fill up pretty quickly so I advice to either set up
a separate logging channel for this (with size limit and rotation) or just
do it for few hours.
On related note of BIND security, I found that using some unreachable host in
first field of SOA record helps to eliminate those annoying `denied update' messages
from win2k clients. (I know it's not a perfect behaviour - but neither is using dynamic
updates by default.) For example:
ua SOA updates-denied.kolo.net domain-master.nic.net.ua (
2002111600 ;serial (version)
28800 ;refresh period (8 hours)
7200 ;retry interval (2 hours)
3024000 ;expire time (5 weeks)
86400 ;default ttl (1 day)
)
More information about the Baylisa
mailing list