[dns-operations] DNS deluge for x.p.ctrc.cc

Gadi Evron ge at linuxbox.org
Wed Mar 1 18:14:40 UTC 2006

Geo. wrote:
>>>I mean it seems the firewall that prevents spoofed recursion has to be
>>>between the recursive dns server and it's local clients. Who has a setup
>>>like that?
>>I honestly don't understand..
>>Do you mean that spoofing doesn't work anymore, or that everyone
>>prevents spoofing, or..?
> What I'm saying is that with a botnet dns attack, each bot is going to use
> it's local dns servers so setting the firewall to block remote recursive dns
> queries or even spoofed traffic is going to gain you nothing since the
> attack is originating from local bots.
> You would likely have to run a software firewall on the dns server itself to
> prevent this sort of attack. Either that or the dns server software has to
> have functionality that allows you to tell it to respond only to local IP's.

You are 100% right. A bot may use its local ISP DNS server. That local 
server is not that much at risk, but this traffic goes into the 
definition of regular DDoS mitigation. This is more manageable, much 
like spam bots who use the ISP's SMTP servers rather than starting their 
own on port 25.

So how to protect the DNS server itself should be separated from this 
general issue, and that is that bots can do either, and can come from 

More information about the dns-operations mailing list