Root Zone Cache – DDOS Prevention

I’m told there is some type of DDOS attack using DNS servers that allow queries of the . (root) zone.  I don’t know all the details, but Bind will always reply to a query if the result exists in cache, even if you lock down recursion. Odds are the . (root) zone will be available in cache most (if not all) of the time. The only reasonable way to lock this down (that I know of) is the allow-query-cache setting in Bind. It allows you to only allow cache responses to specific networks and hosts, just like the allow-recursion setting.

After failing to get Bind running with this, I discovered that the setting was not introduced until version 9.4. Unfortunately, Centos/RHEL only provides Bind 9.3. I was unable to find Bind 9.4+ in custom repositories, so I decided to grab the source RPM (9.5.1) from Fedora 10 and build it for Centos 5.

I figured I’d post a link to them in case they could be of use to anyone else. Note: I have not tested these thoroughly, but they seem to work on my test box.  I’ve included bind-chroot, if you don’t use chroot skip that link.

i386:

http://arilon.ccv.brown.edu/rpm/bind-9.5.1-0.8.b2.i386.rpm

http://arilon.ccv.brown.edu/rpm/bind-chroot-9.5.1-0.8.b2.i386.rpm

http://arilon.ccv.brown.edu/rpm/bind-libs-9.5.1-0.8.b2.i386.rpm

http://arilon.ccv.brown.edu/rpm/bind-utils-9.5.1-0.8.b2.i386.rpm

rpm -Uvh bind*

Advertisements

About this entry