[dns-operations] EDNS0

Mark Andrews Mark_Andrews at isc.org
Wed Mar 1 05:21:39 UTC 2006

> Paul,
> Can I have some understanding of what would happen if non-recursive DNS
> server which services some domain with very large domain resource record 
> (say large txt) received a request for that record from spoofed source.
> Would that always cause the response to go to the spoofed ip address?

> How is that different then amplification with recursive dns servers?
> (since in both cases the a smaller request packet of about 40-50 bytes 
> causes dns server to send large response up to 500bytes to forged 
> source ip address)

	Essentially there is no difference.
> Would this change in anyway with EDNS (if so how)?

	Only the size of the response.  At this point in time it
	is hard to find responses that would get to the 4k mark
	unless you craft it yourself.  Recursive servers were need
	for the current attack so that you could get a lot of
	responses from the records you put in place.

	As DNSSEC is deployed finding a 3+k authoritative response
	will be about as easy as finding a 500 byte response is
	today.  You will be able to do the attack w/o needing the
	recursive servers.


> -- 
> William Leibzon
> Elan Networks
> william at elan.net
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list