Home page logo
/

nanog logo nanog mailing list archives

Re: DNS Amplification attack?
From: Chris Adams <cmadams () hiwaay net>
Date: Wed, 21 Jan 2009 13:27:11 -0600

Once upon a time, Crist Clark <Crist.Clark () globalstar com> said:
Another BIND-specific question since we're on the topic. I see
some of our authorative servers being hit with these spoofs, and
yes, the 9.3.5-P1 (that's what Sun supports in Solaris these
days) were sending back answers from the cache... but wait...
what cache?

The view the Internet gets only has our authorative zones. There
is no declaration for the root zone, master, slave, or hints.
How does BIND have the root cached in that view? Where did it
get it from? I guess it's hard coded somewhere?

BIND has had the hints compiled in for some time as a fall-back, but for
an auth-only server, "additional-from-cache no;" will kill such
responses.
-- 
Chris Adams <cmadams () hiwaay net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault