Tightened DNS security question re: DNS amplification attacks.

Mark Andrews Mark_Andrews at isc.org
Wed Jan 28 23:18:12 CST 2009


In message <20090128232123.GA66921 at redoubt.spodhuis.org>, Phil Pennock writes:
> Sorry to follow up to myself; a few more moments reviewing before
> sending were warranted.
> 
> On 2009-01-28 at 15:11 -0800, Phil Pennock wrote:
> > I'd be perfectly happy to have X list every root server, gTLD server and
> > ccTLD server, as a starting point, on the basis that none of those
> > should ever be sending out RD queries,
> 
> Before I get grilled on this point: it's not strictly true, since
> obviously things like looking up the IPs of secondary servers to send
> NOTIFY requests to may use recursive DNS.

	Only if you have configured a forwarder.  Nameserver make non-
	recursive queries by default.

> Okay, unless you're running
> a nameserver which secondaries from the gTLD/ccTLD/root servers, you
> have no reason to see RD packets from those servers.  Hopefully that's
> accurate enough to appease people who'll otherwise concentrate on that
> point and lose sight of what I was trying to show -- that *most* people
> could easily make use of such an RBL, if the nameservers supported using
> an external file for ignoring RD queries without dropping all traffic.
> 
> As people upgrade Bind naturally, the number of reflectors that could
> participate in an attack would go down.  Get the OS vendors to use
> default configs which set a Bind option to maintain the file
> automatically and you're getting most of the way there, by sheer number
> of DNS servers.
> 
> -Phil

	The most common reason for recursive queries to a authoritative
	server is someone using dig, nslookup or similar and forgeting
	to disable recursion on the request.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org




More information about the NANOG mailing list