Your caching DNS server can unknowingly participate in a form of DDoS attack if recursive lookups are globally allowed.
Say for example that for political, religious, competitive or otherwise malicious reasons your web site is targeted for an attack. First, a hacker breaks into the authoritative DNS server for a sub domain, like my-web-site.org, and adds a large TXT record to the sub domain. The hacker then sends thousands of queries to unsecured caching DNS servers requesting the TXT record, but there is a catch. The queries use a false source IP address that corresponds to the IP address of the DNS server for your website. The queries are small, but the responses are amplified by the size of the TXT information, and your DNS server quickly becomes overwhelmed by the flurry of replies. Without DNS, your web site goes off the air. For the administrator of the caching DNS servers, the additional load of the queries can be unnoticeable, but when multiplied by thousands of other poorly configured servers, the attack on your site becomes lethal.
The allow-recursion directive placed in the options section of your named.conf file can be used to restrict the networks to which recursive lookups are allowed. In this example an ACL is also used to limit lookups to localhost and the 192.168.1.0/24 network.
No comments:
Post a Comment