mailing list archives
Re: DNS Amplification attack?
From: Paul Vixie <vixie () isc org>
Date: Thu, 22 Jan 2009 00:20:15 +0000
Mark Andrews <Mark_Andrews () isc org> writes:
Authoritative servers need a cache. Authoritative servers
need to ask queries. The DNS protocol has evolved since
RFC 1034 and RFC 1035 and authoritative servers need to
translate named to addresses for their own use.
See RFC 1996, A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY).
if i had RFC 1996 to do over again i would either limit outbound notifies
to in-zone servernames, or recommend that primary server operators
configure stealth slaves for servername-containing zones, or (most likely)
i would point out that the need to look up secondary servernames requires
that an authority-only nameserver be able to act as a stub resolver and
that such a server much have access to an independent recursive nameserver.
it's not too late to implement it that way. no authority-only server
should need a cache of any kind. the above text from marka represents
a BIND implementatin detail, not a protocol requirement, evolved or not.
The real fix is to get BCP 38 deployed. Reflection
amplification attacks can be effective if BCP 38 measures
have not been deployed. Go chase down the offending
sources. BCP 38 is nearly 10 years old.
my agreement with this statement is tempered by the fact that BCP38
deployment cannot be continuously assured, nor tested. therefore we will
need protocols, implementations, and operational practices that take
account of packet source address spoofing as an unduring property of the
We all should be taking this as a opportunity to find where
the leaks are in the BCP 38 deployment and correct them.
yea, verily. and maybe track down rfc1918-sourced spew while you're at it.
- Re: DNS Amplification attack?, (continued)