[dns-operations] DNS deluge for x.p.ctrc.cc
Sam Norris
Sam at ChangeIP.com
Mon Feb 27 18:11:10 UTC 2006
Isn't this an issue even if the dns server isn't an open-recursive but
simply listens on port 53? Sending a packet with a spoofed source is a
problem for ANY udp service. If open resolvers are all taken off the net
whats to stop the botnets from sending enough queries to the root servers
with spoofed sources to accomplish the same goal? Sure it takes more
packets but ...
Why bother testing if its recursive if either way its going to send packets
back to a victim? Sure its a smaller payload but its still an attack
vector.
Sam
----- Original Message -----
From: "John Kristoff" <jtk at ultradns.com>
To: <dns-operations at mail.oarc.isc.org>
Sent: 02/27/2006 9:30 AM
Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc
> On Sun, Feb 26, 2006 at 09:23:23AM -0800, william(at)elan.net wrote:
>> What is a correct way to verify if dns server is recursive from your
>> resolver? Is asking info on your own domain from remote nameserver ok
>> for it? What timeout should be used to decide that there was no answer?
>
> It is possible in some configurations, for example with BIND and an
> allow recursion ACL, where generally hosts even outside the ACL will
> still receive an answer the server is not authoritative for if it is
> cached locally. So one possible way obvious way around this would be
> to query for a record with a TTL=0 that the server is not authoritative
> for.
>
> John
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list