Root Zone Cache – DDOS Prevention
I’m told there is some type of DDOS attack using DNS servers that allow queries of the . (root) zone. I don’t know all the details, but Bind will always reply to a query if the result exists in cache, even if you lock down recursion. Odds are the . (root) zone will be available in cache most (if not all) of the time. The only reasonable way to lock this down (that I know of) is the allow-query-cache setting in Bind. It allows you to only allow cache responses to specific networks and hosts, just like the allow-recursion setting.
After failing to get Bind running with this, I discovered that the setting was not introduced until version 9.4. Unfortunately, Centos/RHEL only provides Bind 9.3. I was unable to find Bind 9.4+ in custom repositories, so I decided to grab the source RPM (9.5.1) from Fedora 10 and build it for Centos 5.
I figured I’d post a link to them in case they could be of use to anyone else. Note: I have not tested these thoroughly, but they seem to work on my test box. I’ve included bind-chroot, if you don’t use chroot skip that link.
rpm -Uvh bind*