mailing list archives
Re: Tightened DNS security question re: DNS amplification attacks.
From: Mark Andrews <Mark_Andrews () isc org>
Date: Thu, 29 Jan 2009 16:18:12 +1100
In message <20090128232123.GA66921 () redoubt spodhuis org>, Phil Pennock writes:
Sorry to follow up to myself; a few more moments reviewing before
sending were warranted.
On 2009-01-28 at 15:11 -0800, Phil Pennock wrote:
I'd be perfectly happy to have X list every root server, gTLD server and
ccTLD server, as a starting point, on the basis that none of those
should ever be sending out RD queries,
Before I get grilled on this point: it's not strictly true, since
obviously things like looking up the IPs of secondary servers to send
NOTIFY requests to may use recursive DNS.
Only if you have configured a forwarder. Nameserver make non-
recursive queries by default.
Okay, unless you're running
a nameserver which secondaries from the gTLD/ccTLD/root servers, you
have no reason to see RD packets from those servers. Hopefully that's
accurate enough to appease people who'll otherwise concentrate on that
point and lose sight of what I was trying to show -- that *most* people
could easily make use of such an RBL, if the nameservers supported using
an external file for ignoring RD queries without dropping all traffic.
As people upgrade Bind naturally, the number of reflectors that could
participate in an attack would go down. Get the OS vendors to use
default configs which set a Bind option to maintain the file
automatically and you're getting most of the way there, by sheer number
of DNS servers.
The most common reason for recursive queries to a authoritative
server is someone using dig, nslookup or similar and forgeting
to disable recursion on the request.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews () isc org
RE: out-of-band access bandwidth Church, Charles (Jan 27)
Re: out-of-band access bandwidth chuck goolsbee (Jan 27)