DNS Amplification attack?

David Coulthart davec at columbia.edu
Wed Jan 21 13:45:22 UTC 2009

On Jan 20, 2009, at 6:31 PM, David W. Hankins wrote:
> On Tue, Jan 20, 2009 at 12:54:32PM -0800, Wil Schultz wrote:
>> Anyone else noticing "." requests coming in to your DNS servers?
>> http://isc.sans.org/diary.html?storyid=5713
> I was surprised to see 'amplification' in the subject line here, since
> on my nameservers my replies are of equal length to the queries.  A
> little bit of asking around, and I see that it is an amplification
> attack, preying on old software.
> Let me sum up;
> If you're running 9.4 or later, you will reply to these packets with
> 45 octet RCODE:Refused replies.  1:1.  9.4 has an "allow-query-cache"
> directive that defaults to track allow-recursion, which you should
> have set appropriately.

After reading this thread, I decided it was prudent to test my  
authoritative nameservers & was surprised to discover I could retrieve  
cached records from my nameserver even though I have "recursion no;"  
in my options stanza in named.conf.  Re-reading the ARM, I see that  
behavior is expected.  But is there some reason not to set "allow- 
recursion { none; };" since I already have recursion disabled?

Dave Coulthart

More information about the NANOG mailing list