[111123] in North American Network Operators' Group
Re: Tightened DNS security question re: DNS amplification attacks.
daemon@ATHENA.MIT.EDU (Phil Pennock)
Thu Jan 29 14:54:26 2009
Date: Thu, 29 Jan 2009 11:54:14 -0800
From: Phil Pennock <phil.pennock@spodhuis.org>
To: nanog@nanog.org
In-Reply-To: <82y6wucllw.fsf@mid.bfk.de>
Errors-To: nanog-bounces@nanog.org
On 2009-01-29 at 14:01 +0100, Florian Weimer wrote:
> * Mark Andrews:
> > The most common reason for recursive queries to a authoritative
> > server is someone using dig, nslookup or similar and forgeting
> > to disable recursion on the request.
Useful to know, thanks.
So someone performing diagnostics on one of the root/gTLD/ccTLD servers
would need to remember to dig +norec when checking visibility? Are
manual diagnostics going out from the source IP of such auth
nameservers considered common? In any case, it's a small enough, and
hopefully clued enough, sample of admins that it shouldn't be a problem.
Any organisation seeking to add their auth nameservers to a public RBL
of such IPs will have to accept the same constraint on needing clued
staff. No tears shed at that.
> dnscache in "forward only" mode also sets the RD bit, and apparently
> does not restrict itself to the configured forwarders list. (This is
> based on a public report, not on first-hand knowledge.)
Unless any of the root/gTLD/ccTLD nameservers are also running dnscache,
it should be safe to drop UDP RD packets from those source IP addresses,
as previously described.
-Phil
