Home page logo
/

nanog logo nanog mailing list archives

Re: DNS Amplification attack?
From: Paul Vixie <vixie () isc org>
Date: Thu, 22 Jan 2009 00:20:15 +0000

Mark Andrews <Mark_Andrews () isc org> writes:

      Authoritative servers need a cache.  Authoritative servers
      need to ask queries.  The DNS protocol has evolved since
      RFC 1034 and RFC 1035 and authoritative servers need to
      translate named to addresses for their own use.

      See RFC 1996, A Mechanism for Prompt Notification of Zone
      Changes (DNS NOTIFY).

if i had RFC 1996 to do over again i would either limit outbound notifies
to in-zone servernames, or recommend that primary server operators
configure stealth slaves for servername-containing zones, or (most likely)
i would point out that the need to look up secondary servernames requires
that an authority-only nameserver be able to act as a stub resolver and
that such a server much have access to an independent recursive nameserver.

it's not too late to implement it that way.  no authority-only server
should need a cache of any kind.  the above text from marka represents
a BIND implementatin detail, not a protocol requirement, evolved or not. 

      The real fix is to get BCP 38 deployed.  Reflection
      amplification attacks can be effective if BCP 38 measures
      have not been deployed.  Go chase down the offending
      sources.  BCP 38 is nearly 10 years old.

my agreement with this statement is tempered by the fact that BCP38
deployment cannot be continuously assured, nor tested.  therefore we will
need protocols, implementations, and operational practices that take
account of packet source address spoofing as an unduring property of the
internet.

      We all should be taking this as a opportunity to find where
      the leaks are in the BCP 38 deployment and correct them.

      Mark

yea, verily.  and maybe track down rfc1918-sourced spew while you're at it.
-- 
Paul Vixie


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault