Tightened DNS security question re: DNS amplification attacks.

Florian Weimer fweimer at bfk.de
Thu Jan 29 13:01:15 UTC 2009

* Mark Andrews:

> 	The most common reason for recursive queries to a authoritative
> 	server is someone using dig, nslookup or similar and forgeting
> 	to disable recursion on the request.

dnscache in "forward only" mode also sets the RD bit, and apparently
does not restrict itself to the configured forwarders list.  (This is
based on a public report, not on first-hand knowledge.)

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the NANOG mailing list