[dns-operations] .se being used as seed data in dns attacks
Edward Lewis
Ed.Lewis at neustar.biz
Thu Aug 10 19:36:31 UTC 2006
At 11:51 -0700 8/10/06, william(at)elan.net wrote:
>I've noticed that one of the servers (that is open to public but in
>limited form which I'm not about to start explaining here) there are
>'ANY' requests coming for "se". This to me looks like an attempt to
...
>In any case I want to print here results of what se zone looks like,
>I think its a bit too long even (or especially) for GTLD. ...
Memorable Quotes from Amadeus (1984)
Emperor Joseph II: Your work is ingenious. It's quality work. But
there are simply too many notes, that's all. Just cut a few and it
will be perfect.
Mozart: Which few did you have in mind, Majesty?
>I know "se" is trying to be good netizen and be in the front with
>all the latest technologies, but issue appears to be that its
>exactly because their zone is being used in this way. This kind-of
>points out to what can happen if you deploy this all as well...
>
>; <<>> DiG 9.2.4 <<>> @<removed> any se
>;; global options: printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51722
>;; flags: qr rd ra; QUERY: 1, ANSWER: 25, AUTHORITY: 9, ADDITIONAL: 12
Welcome to DNSSEC. That's what DNSSEC is. A lot more bytes and
records. When I ran dig at the a server:
$ dig @a.ns.se se any +dnssec +bufsize=4096
; <<>> DiG 9.3.0 <<>> @a.ns.se se any +dnssec +bufsize=4096
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43514
;; flags: qr aa rd; QUERY: 1, ANSWER: 25, AUTHORITY: 0, ADDITIONAL: 20
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
...
;; SERVER: 192.36.144.107#53(a.ns.se)
;; WHEN: Thu Aug 10 15:31:51 2006
;; MSG SIZE rcvd: 3991
This is why I've pushed back on the notion that open recursive name
servers are the most evil being on the face of the planet. Sooner or
later there will be a plethora of authoritative servers to use for
amplification.
It's not that DNSSEC has a choice. There's no DNSSEC-lite
alternative that was passed over. Just about any improvement on DNS
will bloat the answers in one way or another.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Soccer/Futbol. IPv6. Both have lots of 1's and 0's and have a hard time
catching on in North America.
More information about the dns-operations
mailing list