Home page logo
/

nanog logo nanog mailing list archives

Re: Tightened DNS security question re: DNS amplification attacks.
From: Nate Itkin <nanog () konadogs net>
Date: Tue, 27 Jan 2009 14:59:40 -1000

On Wed, Jan 28, 2009 at 10:36:29AM +1100, Mark Andrews wrote:
< ... snip ... >
deny udp host 64.57.246.146 neq 53 any eq 53

      Which pre-supposes that 64.57.246.146 os not emitting queries of
      its own.
      BCP 140 looked at this problem and concluded that sending
      REFUSED was the best general guidance that can be given.
      While BCP 140 applies to recursive servers, returning REFUSED
      to queries which are not within the namespace served by
      authoritative servers is entirely consistant with BCP 140.

Agree. Thank you for catching that.  I should have elaborated that one 
must be very judicious about adding ACLs for the reasons you mentioned.
One of the DOS victims had explicitly said not to expect queries from two 
of the recent targets, but yeah, not necessarily a good plan in the general 
case.

Best wishes,
Nate Itkin


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault