[dns-operations] DNS deluge for x.p.ctrc.cc

Mark Andrews Mark_Andrews at isc.org
Mon Feb 27 01:34:45 UTC 2006


> Paul mentioned:
> 
> ## Let's call it three in four name servers on average.
> #
> #<wince>
> #
> #you'd better not be right about THAT.
> 
> See http://dns.measurement-factory.com/surveys/sum1.html (circa October 2005)
> :
> 
> "There are an estimated 7.5 million external DNS servers on the public
> Internet 
> 
> "Over 75% domain name servers (of roughly 1.3 million sampled) allow
> recursive name service to arbitrary queriers. This opens a name server
> to both cache poisoning and denial of service attacks. 
> 
> "Over 40% allow zone transfers from arbitrary queriers. This exposes a
> name server to denial of service attacks and gives attackers
> information about internal networks."

	Being on the net opens you up to DoS attacks.

	The are plently of other methods, beyond direct DNS queries,
	that expose nameservers to cache poisoning techniques.
	Turning off global recursion won't save you from being cache
	poisoned if your nameserver is vulnerable.  The best way to
	be protected from cache poisoning is to have up to date
	nameservers.

 
> Given the size of the sample taken, I suspect the "over 75%" estimate is
> pretty trustworthy.
> 
> Regards,
> 
> Joe
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list