There's bee a lot of talk about the DDoS (Distributed Denial of Service) attack on Spamhaus recently, putatively launched by Cyberbunker or their clients.
I've read over and over again how open DNS resolvers are responsible and Sysadmins running DNS servers ought to deny recursive look-ups to requests from outside their own network.
Or rate-limit requests. Or even test for spoofed source addresses (how that would be possible for the DNS server is left as an exercise in head-scratching for those who understand the word "spoof").
I tend to run open DNS servers, but my theory is that ISPs should be blocking packets leaving their networks that have source IPs that appear to be outside their networks (egress filtering).
Apparently I'm not alone, just in the minority of sysadmins that hold that view point.
The IETF (Internet Engineering Task Force) has Best Current Practices guide about this. Before I quote from it, I'll note that they call it "ingress" filtering, as they apply the filtering to ISPs' routers that exist between ISP & client, as opposed to a filter at the outside edge of the ISP where it uplinks to a backbone connection.
Below can be found at the summary of the Best Current Practice (dated May 2000):
Ingress traffic filtering at the periphery of Internet connected networks will reduce the effectiveness of source address spoofing denial of service attacks. Network service providers and administrators have already begun implementing this type of filtering on periphery routers, and it is recommended that all service providers do so as soon as possible. In addition to aiding the Internet community as a whole to defeat this attack method, it can also assist service providers in locating the source of the attack if service providers can categorically demonstrate that their network already has ingress filtering in place on customer links.
Added bonus:
Corporate network administrators should implement filtering to ensure their corporate networks are not the source of such problems. Indeed, filtering could be used within an organization to ensure users do not cause problems by improperly attaching systems to the wrong networks.
It seems that while "network administrators have already begun implementing" filtering, it's far from being effectively implemented.
I hope to end up in a NOC for a large ISP some day, and I intend to implement such filtering at each step along the way. IPtables to the rescue!
I should add, if you do wish to configure your DNS to limit recursion, CYMRU has a guide on how to do it.
Short answer:
options {
recursion no;
additional-from-cache no;
};
They then outline how to set up an ACL for your trusted clients.
From "man named.conf", one can also control recursion with this:
allow-recursion-on { address_match_element; ... };