Tightened DNS security question re: DNS amplification attacks.
Mark Andrews
Mark_Andrews at isc.org
Thu Jan 29 05:18:12 UTC 2009
In message <20090128232123.GA66921 at redoubt.spodhuis.org>, Phil Pennock writes:
> Sorry to follow up to myself; a few more moments reviewing before
> sending were warranted.
>
> On 2009-01-28 at 15:11 -0800, Phil Pennock wrote:
> > I'd be perfectly happy to have X list every root server, gTLD server and
> > ccTLD server, as a starting point, on the basis that none of those
> > should ever be sending out RD queries,
>
> Before I get grilled on this point: it's not strictly true, since
> obviously things like looking up the IPs of secondary servers to send
> NOTIFY requests to may use recursive DNS.
Only if you have configured a forwarder. Nameserver make non-
recursive queries by default.
> Okay, unless you're running
> a nameserver which secondaries from the gTLD/ccTLD/root servers, you
> have no reason to see RD packets from those servers. Hopefully that's
> accurate enough to appease people who'll otherwise concentrate on that
> point and lose sight of what I was trying to show -- that *most* people
> could easily make use of such an RBL, if the nameservers supported using
> an external file for ignoring RD queries without dropping all traffic.
>
> As people upgrade Bind naturally, the number of reflectors that could
> participate in an attack would go down. Get the OS vendors to use
> default configs which set a Bind option to maintain the file
> automatically and you're getting most of the way there, by sheer number
> of DNS servers.
>
> -Phil
The most common reason for recursive queries to a authoritative
server is someone using dig, nslookup or similar and forgeting
to disable recursion on the request.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the NANOG
mailing list