Debian – How to prevent Bind from responding to spoofed IP addresses

binddebiandomain-name-system

We all know about open resolvers, this question is kind of for the inverse situation. I have a DNS server that is locked down to certain CIDRs acl trusted {[..]

options {
[..]
allow-query {
            // Accept queries from our "trusted" ACL.  We will
            // allow anyone to query our master zones below.
            // This prevents us from becoming a free DNS server
            // to the masses.
            trusted;
};

This works.

However it doesn't stop infected hosts within the allowed ranges to send spoofed (most commonly type ANY) requests. Those are resolved and the response still sent to the spoofed IP that "requested" it (which is usually the target of the attackers).

How to prevent the DNS server from resolving domains requested outside the trusted ranges? Is that even something bind should be doing?

Best Answer

This isn't a problem you should be trying to solve at the service layer.

Don't allow off-net traffic to make inbound requests to your DNS listeners.
Perform source address validation of packets generated by your customers (if applicable). This prevents amplification attacks originating from inside of your network.

These problems are rooted in the design of the network topology sitting in front of you. It is a losing battle to try and address these issues from the server itself.

Related Solutions

Fedora – Setting Up a DNS Server on Fedora 11

Looks like a DNSSEC problem but is commented in your config file. You need to check if is enabled for Bind:

dnssec-configure -s -b

DNSSEC has been included in Fedora 11: http://fedoraproject.org/wiki/Features/DNSSEC

BIND9: Do forwarders have any priority

I've looked this up before, but I'm having trouble finding something better than this at the moment: https://lists.isc.org/pipermail/bind-users/2012-April/087455.html

BIND8 and onward consider each of the forwarders begin with "equal weight". Based on the SRTT of the responses, the nameserver begins to favor one over the other. A certain percentage of queries will always hit the one with higher latency, to retest the waters and keep the calculated weight preference fair. (bearing in mind that once a record is cached, the forwarders will not be consulted for it again until the TTL has expired)

In short, the forwarders directive is designed with redundancy and minimized latency in mind -- not in an active-standby failover model. This will not do what you want it to, and I am not aware of any BIND directives to reconfigure this behavior. I end up staring at BIND documentation a fair bit in my line of work so I feel pretty confident about this statement.

Best Answer

Related Solutions

Fedora – Setting Up a DNS Server on Fedora 11

BIND9: Do forwarders have any priority

Related Topic