DNS Amplification attack?
David Coulthart
davec at columbia.edu
Wed Jan 21 13:45:22 UTC 2009
On Jan 20, 2009, at 6:31 PM, David W. Hankins wrote:
> On Tue, Jan 20, 2009 at 12:54:32PM -0800, Wil Schultz wrote:
>> Anyone else noticing "." requests coming in to your DNS servers?
>>
>> http://isc.sans.org/diary.html?storyid=5713
>
> I was surprised to see 'amplification' in the subject line here, since
> on my nameservers my replies are of equal length to the queries. A
> little bit of asking around, and I see that it is an amplification
> attack, preying on old software.
>
> Let me sum up;
>
> If you're running 9.4 or later, you will reply to these packets with
> 45 octet RCODE:Refused replies. 1:1. 9.4 has an "allow-query-cache"
> directive that defaults to track allow-recursion, which you should
> have set appropriately.
After reading this thread, I decided it was prudent to test my
authoritative nameservers & was surprised to discover I could retrieve
cached records from my nameserver even though I have "recursion no;"
in my options stanza in named.conf. Re-reading the ARM, I see that
behavior is expected. But is there some reason not to set "allow-
recursion { none; };" since I already have recursion disabled?
Thanks,
Dave Coulthart
More information about the NANOG
mailing list