[111111] in North American Network Operators' Group
Re: Tightened DNS security question re: DNS amplification attacks.
daemon@ATHENA.MIT.EDU (Mark Andrews)
Thu Jan 29 00:18:39 2009
To: Phil Pennock <phil.pennock@spodhuis.org>
From: Mark Andrews <Mark_Andrews@isc.org>
In-reply-to: Your message of "Wed, 28 Jan 2009 15:21:23 -0800."
<20090128232123.GA66921@redoubt.spodhuis.org>
Date: Thu, 29 Jan 2009 16:18:12 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
In message <20090128232123.GA66921@redoubt.spodhuis.org>, Phil Pennock writes:
> Sorry to follow up to myself; a few more moments reviewing before
> sending were warranted.
>
> On 2009-01-28 at 15:11 -0800, Phil Pennock wrote:
> > I'd be perfectly happy to have X list every root server, gTLD server and
> > ccTLD server, as a starting point, on the basis that none of those
> > should ever be sending out RD queries,
>
> Before I get grilled on this point: it's not strictly true, since
> obviously things like looking up the IPs of secondary servers to send
> NOTIFY requests to may use recursive DNS.
Only if you have configured a forwarder. Nameserver make non-
recursive queries by default.
> Okay, unless you're running
> a nameserver which secondaries from the gTLD/ccTLD/root servers, you
> have no reason to see RD packets from those servers. Hopefully that's
> accurate enough to appease people who'll otherwise concentrate on that
> point and lose sight of what I was trying to show -- that *most* people
> could easily make use of such an RBL, if the nameservers supported using
> an external file for ignoring RD queries without dropping all traffic.
>
> As people upgrade Bind naturally, the number of reflectors that could
> participate in an attack would go down. Get the OS vendors to use
> default configs which set a Bind option to maintain the file
> automatically and you're getting most of the way there, by sheer number
> of DNS servers.
>
> -Phil
The most common reason for recursive queries to a authoritative
server is someone using dig, nslookup or similar and forgeting
to disable recursion on the request.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
