Mitigating DNS amplification attacks

Doug Barton dougb at dougbarton.us
Wed May 1 20:01:59 UTC 2013


On 04/30/2013 05:28 PM, Thomas St-Pierre wrote:
> The large majority of the servers being used in the attacks are not
> open resolvers. Just DNS servers that are authoritative for a few
> domains, and the default config of the dns application does referrals
> to root for anything else.

It sounds like you're already aware that this is the default behavior 
for an authoritative-only server, and while the referral to the roots is 
a largeish response and has been used for amplification attacks, it's 
also rather difficult to mitigate against.

A BIND server can be configured to not do that, but contacting each of 
your customers about it might not have a good ROI. See 
https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful 
for more information.

Meanwhile, thank you very much for being proactive in this regard. Would 
that more SPs were as net.responsible as you. :)

Doug



More information about the NANOG mailing list