Tightened DNS security question re: DNS amplification attacks.
phil.pennock at spodhuis.org
Thu Jan 29 19:54:14 UTC 2009
On 2009-01-29 at 14:01 +0100, Florian Weimer wrote:
> * Mark Andrews:
> > The most common reason for recursive queries to a authoritative
> > server is someone using dig, nslookup or similar and forgeting
> > to disable recursion on the request.
Useful to know, thanks.
So someone performing diagnostics on one of the root/gTLD/ccTLD servers
would need to remember to dig +norec when checking visibility? Are
manual diagnostics going out from the source IP of such auth
nameservers considered common? In any case, it's a small enough, and
hopefully clued enough, sample of admins that it shouldn't be a problem.
Any organisation seeking to add their auth nameservers to a public RBL
of such IPs will have to accept the same constraint on needing clued
staff. No tears shed at that.
> dnscache in "forward only" mode also sets the RD bit, and apparently
> does not restrict itself to the configured forwarders list. (This is
> based on a public report, not on first-hand knowledge.)
Unless any of the root/gTLD/ccTLD nameservers are also running dnscache,
it should be safe to drop UDP RD packets from those source IP addresses,
as previously described.
More information about the NANOG