[RndTbl] DNS Amplification DoS
Sean Cody
sean at tinfoilhat.ca
Mon Sep 17 15:07:11 CDT 2012
> Another way of doing this, which would allow even more flexibility in configuring BIND for internal vs external access is to define two views:
>
> view internal_resolver {
> match-clients { YOUR.SUB.NET.ADDR/CIDR; };
> match-destinations { YOUR.SUB.NET.ADDR/CIDR; };
> recursion yes;
> include "/etc/named.internal.zones";
> };
>
> view external_resolver {
> match-clients { any; };
> recursion no;
> include "/etc/named.external.zones";
> };
>
I agree this is a much better solution.
It also allows a buy of flexibility for dealing with the same domain in different security domains (ie. serverA is 10/X inside and 4.5.6.7 outside). Keepin naming consistent across zones AND insuring internal resolvers for the same domain include external views as well is about 100 times easier to do with bind views.
--
Sean
More information about the Roundtable
mailing list