My understanding is that open DNS servers that allow unrestricted recursion are frowned upon these days, for the very reasons for which you've expressed concern. I believe best practice nowadays is to specify a limited set of subnets for which you allow recursion. For example, at the U of M we'll typically include something like the following in the "options" section of our named.conf files, to prevent recursive lookups from outside users:
allow-recursion { 140.193.0.0/16; 130.179.0.0/16; };
On 17/09/2012 2:16 PM, Paul Sierks wrote:
I recently saw iftop showing a couple "connections" of ~200Kbps persistently on a box and because this wasn't the usual, I looked into it. Turns out it was caused by DNS lookups of type ANY ripe.net repeatedly. I can only assume this is an amplification attack. This box uses BIND 9.9.1-P3 is public facing and does recursive lookups (also authoritative). Now that that's out of the way, I'm looking/thinking of ways the prevent this obviously. This isn't causing a problem on a 100Mb link now but could get there quickly. As far as I know I don't have a lot of options, maybe iptables with some sort of limiting. ACLs would normally help, and would be perfect if I could get it to use a SQL database as the backend, and use that as a whitelist to at least mitigate the issue. If anyone has experience on the subject or an idea, it is much appreciated.