Mark_Andrews at isc.org
Wed Mar 1 05:21:39 UTC 2006
> Can I have some understanding of what would happen if non-recursive DNS
> server which services some domain with very large domain resource record
> (say large txt) received a request for that record from spoofed source.
> Would that always cause the response to go to the spoofed ip address?
> How is that different then amplification with recursive dns servers?
> (since in both cases the a smaller request packet of about 40-50 bytes
> causes dns server to send large response up to 500bytes to forged
> source ip address)
Essentially there is no difference.
> Would this change in anyway with EDNS (if so how)?
Only the size of the response. At this point in time it
is hard to find responses that would get to the 4k mark
unless you craft it yourself. Recursive servers were need
for the current attack so that you could get a lot of
responses from the records you put in place.
As DNSSEC is deployed finding a 3+k authoritative response
will be about as easy as finding a 500 byte response is
today. You will be able to do the attack w/o needing the
> William Leibzon
> Elan Networks
> william at elan.net
> dns-operations mailing list
> dns-operations at lists.oarci.net
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations