[dns-operations] DNS Amplification Attacks
ondrej.sury at nic.cz
Tue Mar 21 20:12:25 UTC 2006
On Tue, 2006-03-21 at 10:37 -0500, Matt Pounsett wrote:
> On 21-Mar-2006, at 10:14 , Ondřej Surý wrote:
> > I just don't understand why you are so against shutting down open
> > recursors, I see that we need to do two things:
> I can offer one suggested explanation: open recursors are an
> excellent troubleshooting tool when DNS data appears to be broken
> when off one's own network, but not on it (in my experience, the
> recursor being used to test is usually broken in some way). Perhaps
> Geo has other reasons as well, but those of us that use open
> recursors to troubleshoot are just going to have to get used to the
> fact that they're going away.
I can't speak of others, but many of us have enough resources to put
guarded recursor to other network then you are testing. I know that it
doesn't solve whole issue (testing arbitrary recursor in arbitrary
network), but at least it's something.
Anyway if I had to choose between easy troubleshooting and open
recursors used as attack vector OR not-so-easy troubleshooting and
closed attack vector for bad guys, then I am for second option.
You can easily argue that SMTP relays are excelent tool how to test how
is mail delivered to your mail server.
> >I can offer one suggested explanation: open recursors are an
> >excellent troubleshooting tool when DNS data appears to be broken
> >when off one's own network, but not on it (in my experience, the
> >recursor being used to test is usually broken in some way).
> >Perhaps we can find an alternative that won't/can't be abused, but
> >for the moment it looks like we'll have to live without this view of
> >how other parts of the 'net see our data.
> How about DNS looking glasses that would allow queries to local (to
> the looking glass server) DNS servers using only a web interface?
> Conceptually more or less exactly the same as the looking glasses used
> for BGP queries offer.
I am willing to prepare and provide such a tool. We can create ring of
lg-recursors which would create tool for troubleshooting and allow us to
start hunt for open recursors.
P.S.: Please do not Cc: me I am subscribed to the list.
technický ředitel/Chief Technical Officer
CZ.NIC, z.s.p.o. -- .cz domain registry
Lužná 591, 160 00 Praha 6, Czech Republic
mailto:ondrej.sury at nic.cz http://nic.cz/
tel:+420 222 745 110 fax:+420 220 121 184
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5888 bytes
Desc: not available
More information about the dns-operations