[dns-operations] DNS deluge for x.p.ctrc.cc

Paul Vixie paul at vix.com
Wed Mar 1 21:28:26 UTC 2006

# > If the ISP fixes their DNS servers to restrict the Ips for which they
# > answer recursive queries, then those fixed DNS servers will ignore the
# > spoofed request because the spoofed request appears to come from an IP
# > that hey do not serve.
# I believe Geo actually meant something different. I also did not understand
# his meaning at all at first... then he further explained.
# As the bots are in the ISP's allowed space, the ISP's DNS server will 
# allow recursion to these bots.

this should not work, for two reasons, and when it works, all indications
are that best known operational practices are not being followed.

first, it should not work because a connected host on some ISP LAN or MAN
should not be able to emit packets with off-net source addresses.  this is
what BCP38 (and to a lesser degree, SAC004) are trying to describe/advise.

second, it should not work because the local recursive name servers ought
to be ACL'd so that off-net source addressed queries are not answered.  i
know that Win2K/DNS can't do this, but BIND can, and every modern OS has
host-level firewall features (WinXP, MacOS/X, all Linux, all BSD, etc).

therefore if a bad person or bot gets access to a host inside an ISP and 
sources a stream of packets claiming to be from f-root, then that host's
immediate router or redback or whatever should be dropping those spoofed-
source queries, but if it won't, then the local recursive nameserver they
are reaching (inside the ISP) with those (spoofed-source) queries should
not answer.

More information about the dns-operations mailing list