[110875] in North American Network Operators' Group
Re: DNS Amplification attack?
daemon@ATHENA.MIT.EDU (David Coulthart)
Wed Jan 21 08:45:50 2009
From: David Coulthart <davec@columbia.edu>
To: "David W. Hankins" <David_Hankins@isc.org>
In-Reply-To: <20090120233128.GI15562@isc.org>
Date: Wed, 21 Jan 2009 08:45:22 -0500
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On Jan 20, 2009, at 6:31 PM, David W. Hankins wrote:
> On Tue, Jan 20, 2009 at 12:54:32PM -0800, Wil Schultz wrote:
>> Anyone else noticing "." requests coming in to your DNS servers?
>>
>> http://isc.sans.org/diary.html?storyid=5713
>
> I was surprised to see 'amplification' in the subject line here, since
> on my nameservers my replies are of equal length to the queries. A
> little bit of asking around, and I see that it is an amplification
> attack, preying on old software.
>
> Let me sum up;
>
> If you're running 9.4 or later, you will reply to these packets with
> 45 octet RCODE:Refused replies. 1:1. 9.4 has an "allow-query-cache"
> directive that defaults to track allow-recursion, which you should
> have set appropriately.
After reading this thread, I decided it was prudent to test my
authoritative nameservers & was surprised to discover I could retrieve
cached records from my nameserver even though I have "recursion no;"
in my options stanza in named.conf. Re-reading the ARM, I see that
behavior is expected. But is there some reason not to set "allow-
recursion { none; };" since I already have recursion disabled?
Thanks,
Dave Coulthart
