Filter
Top Products
32 Chapter 2 DNS Service
It is difficult to prevent this type of attack before it begins. Constant monitoring of the
DNS service and server load allows an administrator to catch the attack early and
mitigate its damaging effect.
The easiest way to guard against this attack is to block the offending IP address with
your firewall. See “Creating an Advanced IP Filter for TCP ports” on page 51.
Unfortunately, this means the attack is already underway and the hacker’s queries are
being answered and the activity logged.
Service Piggybacking
This attack is not often done by hackers, but common Internet users. They may feel that
their DNS response time with their own Internet Service Provider is too slow. They learn
this trick from other users. The Internet users will configure their computer to query
another DNS server instead of their own ISP’s DNS servers. Effectively, there will be
more users accessing the DNS server than have been planned for.
You can guard against this by limiting or disabling DNS Recursion. If you plan to offer
DNS service to your own LAN users, they need recursion to resolve domain names, but
you don’t want to provide this service to any Internet users.
To prevent recursion entirely, see “Enabling or Disabling Recursion” on page 21.
The most common balance is allowing recursion for requests coming from IP addresses
within your own range, but denying recursion to external addresses. BIND allows you to
specify this in its configuration file, named.conf. Edit your named.conf file to include the
following:
options {
...
allow-recursion{
127.0.0.0/8;
[your internal IP range of addresses, like 192.168.1.0/27];
};
};
Please see BIND’s documentation for further information.
LL2351.Book Page 32 Monday, September 8, 2003 2:47 PM