DNS Amplification attack?

Paul Vixie vixie at isc.org
Thu Jan 22 00:20:15 UTC 2009

Mark Andrews <Mark_Andrews at isc.org> writes:

> 	Authoritative servers need a cache.  Authoritative servers
> 	need to ask queries.  The DNS protocol has evolved since
> 	RFC 1034 and RFC 1035 and authoritative servers need to
> 	translate named to addresses for their own use.
> 	See RFC 1996, A Mechanism for Prompt Notification of Zone
> 	Changes (DNS NOTIFY).

if i had RFC 1996 to do over again i would either limit outbound notifies
to in-zone servernames, or recommend that primary server operators
configure stealth slaves for servername-containing zones, or (most likely)
i would point out that the need to look up secondary servernames requires
that an authority-only nameserver be able to act as a stub resolver and
that such a server much have access to an independent recursive nameserver.

it's not too late to implement it that way.  no authority-only server
should need a cache of any kind.  the above text from marka represents
a BIND implementatin detail, not a protocol requirement, evolved or not. 

> 	The real fix is to get BCP 38 deployed.  Reflection
> 	amplification attacks can be effective if BCP 38 measures
> 	have not been deployed.  Go chase down the offending
> 	sources.  BCP 38 is nearly 10 years old.

my agreement with this statement is tempered by the fact that BCP38
deployment cannot be continuously assured, nor tested.  therefore we will
need protocols, implementations, and operational practices that take
account of packet source address spoofing as an unduring property of the

> 	We all should be taking this as a opportunity to find where
> 	the leaks are in the BCP 38 deployment and correct them.
> 	Mark

yea, verily.  and maybe track down rfc1918-sourced spew while you're at it.
Paul Vixie

More information about the NANOG mailing list