[110900] in North American Network Operators' Group
Re: DNS Amplification attack?
daemon@ATHENA.MIT.EDU (Chris Adams)
Wed Jan 21 14:27:17 2009
Date: Wed, 21 Jan 2009 13:27:11 -0600
From: Chris Adams <cmadams@hiwaay.net>
To: nanog@nanog.org
Mail-Followup-To: Chris Adams <cmadams@hiwaay.net>, nanog@nanog.org
In-Reply-To: <497705BD.33E4.0097.0@globalstar.com>
Errors-To: nanog-bounces@nanog.org
Once upon a time, Crist Clark <Crist.Clark@globalstar.com> said:
> Another BIND-specific question since we're on the topic. I see
> some of our authorative servers being hit with these spoofs, and
> yes, the 9.3.5-P1 (that's what Sun supports in Solaris these
> days) were sending back answers from the cache... but wait...
> what cache?
>
> The view the Internet gets only has our authorative zones. There
> is no declaration for the root zone, master, slave, or hints.
> How does BIND have the root cached in that view? Where did it
> get it from? I guess it's hard coded somewhere?
BIND has had the hints compiled in for some time as a fall-back, but for
an auth-only server, "additional-from-cache no;" will kill such
responses.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
