[dns-operations] .se being used as seed data in dns attacks

Edward Lewis Ed.Lewis at neustar.biz
Thu Aug 10 19:36:31 UTC 2006 

At 11:51 -0700 8/10/06, william(at)elan.net wrote:
>I've noticed that one of the servers (that is open to public but in
>limited form which I'm not about to start explaining here) there are
>'ANY' requests coming for "se". This to me looks like an attempt to
...
>In any case I want to print here results of what se zone looks like,
>I think its a bit too long even (or especially) for GTLD. ...

Memorable Quotes from Amadeus (1984)

Emperor Joseph II: Your work is ingenious. It's quality work. But 
there are simply too many notes, that's all. Just cut a few and it 
will be perfect.

Mozart: Which few did you have in mind, Majesty?

>I know "se" is trying to be good netizen and be in the front with
>all the latest technologies, but issue appears to be that its
>exactly because their zone is being used in this way. This kind-of
>points out to what can happen if you deploy this all as well...
>
>; <<>> DiG 9.2.4 <<>> @<removed> any se
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51722
>;; flags: qr rd ra; QUERY: 1, ANSWER: 25, AUTHORITY: 9, ADDITIONAL: 12

Welcome to DNSSEC.  That's what DNSSEC is.  A lot more bytes and 
records.  When I ran dig at the a server:

$ dig @a.ns.se se any +dnssec +bufsize=4096

; <<>> DiG 9.3.0 <<>> @a.ns.se se any +dnssec +bufsize=4096
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43514
;; flags: qr aa rd; QUERY: 1, ANSWER: 25, AUTHORITY: 0, ADDITIONAL: 20

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096

...

;; SERVER: 192.36.144.107#53(a.ns.se)
;; WHEN: Thu Aug 10 15:31:51 2006
;; MSG SIZE  rcvd: 3991


This is why I've pushed back on the notion that open recursive name 
servers are the most evil being on the face of the planet.  Sooner or 
later there will be a plethora of authoritative servers to use for 
amplification.

It's not that DNSSEC has a choice.  There's no DNSSEC-lite 
alternative that was passed over.  Just about any improvement on DNS 
will bloat the answers in one way or another.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Soccer/Futbol. IPv6.  Both have lots of 1's and 0's and have a hard time
catching on in North America.

More information about the dns-operations mailing list