[nsp-sec] 700K *abused* resolver list? - mitigation notes
Stephen Gill
gillsr at cymru.com
Wed Apr 15 19:03:20 EDT 2009
What version of MS DNS? Is this doc helpful by chance?
http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf
-- steve
On 4/15/09 3:29 PM, "Mike Lewinski" <mike at rockynet.com> wrote:
> ----------- nsp-security Confidential --------
>
> I worked with a customer to test his fix for Microsoft DNS. Disabling
> recursion alone is sufficient to also stop root server record leakage,
> and that's fine for people running auth-only servers. However it seems
> that there is no way to restrict recursion by subnet in Windows DNS,
> which means that port 53 has to be externally blocked if recursion is
> needed.
>
> This also means there is no safe hybrid caching/auth configuration for
> MS-DNS users. Fortunately I think that configuration is somewhat rare,
> though I have encountered at least one.
>
> Another customer running a hybrid bind9 auth/recursive server reports
> that "additional-from-cache no;" hasn't broken anything yet. I'm taking
> his report with a grain of salt because I don't think he has that many
> resolver clients.
>
> Mike
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com
More information about the nsp-security
mailing list