[111112] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Tightened DNS security question re: DNS amplification attacks.

daemon@ATHENA.MIT.EDU (Florian Weimer)
Thu Jan 29 08:00:13 2009

To: Mark Andrews <Mark_Andrews@isc.org>
From: Florian Weimer <fweimer@bfk.de>
Date: Thu, 29 Jan 2009 14:01:15 +0100
In-Reply-To: <200901290518.n0T5ICb6063416@drugs.dv.isc.org> (Mark Andrews's
	message of "Thu, 29 Jan 2009 16:18:12 +1100")
Cc: nanog@nanog.org, Phil Pennock <phil.pennock@spodhuis.org>
Errors-To: nanog-bounces@nanog.org

* Mark Andrews:

> 	The most common reason for recursive queries to a authoritative
> 	server is someone using dig, nslookup or similar and forgeting
> 	to disable recursion on the request.

dnscache in "forward only" mode also sets the RD bit, and apparently
does not restrict itself to the configured forwarders list.  (This is
based on a public report, not on first-hand knowledge.)

--=20
Florian Weimer                <fweimer@bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstra=DFe 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[111112] in North American Network Operators' Group

Re: Tightened DNS security question re: DNS amplification attacks.

daemon@ATHENA.MIT.EDU (Florian Weimer)Thu Jan 29 08:00:13 2009

daemon@ATHENA.MIT.EDU (Florian Weimer)
Thu Jan 29 08:00:13 2009