[dns-operations] DNS deluge for x.p.ctrc.cc

Peter Dambier peter at peter-dambier.de
Mon Mar 6 14:01:05 UTC 2006

Geo. wrote:
>>and yet, the time has come when the default out-of-box configuration for
>>smtp relays is to non-open.
> Yes and that affects smtp and only smtp and the problem was with smtp not a
> spoofing issue. Blocking or even rate limiting DNS will affect far more than
> just DNS and will manifest itself as problems with every other function run
> over the network.
>>if root and tld servers accept packets from recursive name servers known
> to be
>>open and known to have been used as amplifiers in prior attacks, then they
>>will not be available during amplifier attacks, but they will be available
> to
>>the entire internet.  that's the status quo, and it's a possible choice of
>>"most responsible way to operate".
>>if root and tld servers drop packets from recursive name servers  known to
> be
>>open and known to have been used as amplifiers in prior attacks, then they
>>will not be available to the entire internet, but they will be available
>>during attacks.  that's the prospective change, and it's a possible choice
>>of "most responsible way to operate".
> Those are not the only two possible choices. There is another although I'm
> not versed in dns enough to know how good a solution it would be. Use TCP
> instead of UDP, this would address the issue of spoofing dns requests and
> remove the attack vector. Allow UDP from local clients but restrict
> anonymous remote clients to TCP as the protocol for querying an open
> recursive dns server. UDP is easy to spoof because it's connectionless, TCP
> isn't.

That opens a different can of worm:

dnscache (djbdns) is a resolver only, but it can answer tcp.

tinydns (djbdns) is an authoritative nameserver only, but it is udp only.

axfrdns (djbdns) does answer tcp only but it can only do axfr transfers.

I guess there are a lot of other servers more or less differing from
bind and there are BINDs behind badly configured firewalls ...

The bad thing - you exclude tinydns allthough tinydns is a "good" server
because it will never do recursion. Bind is told to sometimes do, even
if you configure it not to

> I'm not a programmer but don't mail servers already fall back to tcp if a
> query response is too long for UDP? Is that just mail servers that do this
> or is this a general function of all software that does dns queries? I
> dunno, but I think it's certainly as much of an option as locking down every
> dns server on the planet.
> Geo.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

Peter and Karin Dambier
The Public-Root Consortium
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com

More information about the dns-operations mailing list