[dns-operations] DNS deluge for x.p.ctrc.cc

Sam Norris Sam at ChangeIP.com
Mon Feb 27 18:11:10 UTC 2006

Isn't this an issue even if the dns server isn't an open-recursive but 
simply listens on port 53?  Sending a packet with a spoofed source is a 
problem for ANY udp service.  If open resolvers are all taken off the net 
whats to stop the botnets from sending enough queries to the root servers 
with spoofed sources to accomplish the same goal?  Sure it takes more 
packets but ...

Why bother testing if its recursive if either way its going to send packets 
back to a victim?  Sure its a smaller payload but its still an attack 


----- Original Message ----- 
From: "John Kristoff" <jtk at ultradns.com>
To: <dns-operations at mail.oarc.isc.org>
Sent: 02/27/2006 9:30 AM
Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc

> On Sun, Feb 26, 2006 at 09:23:23AM -0800, william(at)elan.net wrote:
>> What is a correct way to verify if dns server is recursive from your
>> resolver? Is asking info on your own domain from remote nameserver ok
>> for it? What timeout should be used to decide that there was no answer?
> It is possible in some configurations, for example with BIND and an
> allow recursion ACL, where generally hosts even outside the ACL will
> still receive an answer the server is not authoritative for if it is
> cached locally.  So one possible way obvious way around this would be
> to query for a record with a TTL=0 that the server is not authoritative
> for.
> John
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations 

More information about the dns-operations mailing list