According to US-CERT, 80 % of DNS Servers in the world have a loophole that allow third party untrusted IP addresses to perform recursive lookup. This risk can give rise to large scale DDoS, cache poisoning and other forms of attacks. The US-CERT and ISC therefore recommend all network administrators to close the recursive lookup by untrusted IP addresses.
I have followed the advice of US-CERT. To this end, the solution is simply adding a single line in /var/named/chroot/etc/named.conf
allow-recursion { IP address; IP address/subnet mask; };
or simply put
recursion no;
The former allows trusted hosts to accesss recursive lookup while the latter only serves the recursive lookup function for the localhost only.
No comments:
Post a Comment