[RndTbl] DNS Amplification DoS

Sean Walberg sean at ertw.com
Mon Sep 17 15:18:55 CDT 2012


On Mon, Sep 17, 2012 at 3:07 PM, Sean Cody <sean at tinfoilhat.ca> wrote:

> I agree this is a much better solution.
> It also allows a buy of flexibility for dealing with the same domain in
> different security domains (ie.  serverA is 10/X inside and 4.5.6.7
> outside).  Keepin naming consistent across zones AND insuring internal
> resolvers for the same domain include external views as well is about 100
> times easier to do with bind views.


Technically yes it's a sexier solution, but I can not recall a time where
I've let a machine have the same name with different IP addresses and ended
up not regretting it. Some time down the line we'd find some device or
third party that used their own resolver but had a VPN to us, or a DMZ that
was just a bit more special with NAT rules than the others, and then we
were fighting between various groups as to who had to solve it with which
hack. This gets even more fun when only one of the groups can explain
what's going on.

BIND views fail my "3am test". After being woken up at 3am I don't want to
be thinking about where I have to query from in order to get the "right"
answer. You've put yourself in a situation where two people can get
different answers for the same question.

As long as you don't take Gilbert's suggestion any further it's good, maybe
even clever. But then again, it's no different than Gilles', just more
indirect.

Please, for your own sanity, if you want the same machine to be visible at
multiple addresses depending on the context, use different zones. Your
network guys, sysadmins, and developers can all agree that
serverx.example.local is different than serverx.example.com.

Sean
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20120917/6c2b74d1/attachment.html>


More information about the Roundtable mailing list