[dns-operations] DNS Amplification Attacks

Tue Mar 21 20:12:25 UTC 2006

On Tue, 2006-03-21 at 10:37 -0500, Matt Pounsett wrote:
> On 21-Mar-2006, at 10:14 , Ondřej Surý wrote:
> 
> > I just don't understand why you are so against shutting down open
> > recursors, I see that we need to do two things:
> 
> I can offer one suggested explanation: open recursors are an  
> excellent troubleshooting tool when DNS data appears to be broken  
> when off one's own network, but not on it (in my experience, the  
> recursor being used to test is usually broken in some way).  Perhaps  
> Geo has other reasons as well, but those of us that use open  
> recursors to troubleshoot are just going to have to get used to the  
> fact that they're going away.

I can't speak of others, but many of us have enough resources to put
guarded recursor to other network then you are testing.  I know that it
doesn't solve whole issue (testing arbitrary recursor in arbitrary
network), but at least it's something.

Anyway if I had to choose between easy troubleshooting and open
recursors used as attack vector OR not-so-easy troubleshooting and
closed attack vector for bad guys, then I am for second option.
<demagogy :-)>
You can easily argue that SMTP relays are excelent tool how to test how
is mail delivered to your mail server.
</demagogy :-)>

> >I can offer one suggested explanation: open recursors are an  
> >excellent troubleshooting tool when DNS data appears to be broken  
> >when off one's own network, but not on it (in my experience, the  
> >recursor being used to test is usually broken in some way).
> [snip]
> 
> >Perhaps we can find an alternative that won't/can't be abused, but  
> >for the moment it looks like we'll have to live without this view of  
> >how other parts of the 'net see our data.
> 
> How about DNS looking glasses that would allow queries to local (to
> the looking glass server) DNS servers using only a web interface?
> Conceptually more or less exactly the same as the looking glasses used
> for BGP queries offer.

I am willing to prepare and provide such a tool.  We can create ring of
lg-recursors which would create tool for troubleshooting and allow us to
start hunt for open recursors.

Ondrej.
P.S.: Please do not Cc: me I am subscribed to the list.
-- 
 Ondřej Surý
 technický ředitel/Chief Technical Officer
 -----------------------------------------
 CZ.NIC, z.s.p.o.  --  .cz domain registry
 Lužná 591, 160 00 Praha 6, Czech Republic
 mailto:ondrej.sury at nic.cz  http://nic.cz/
 tel:+420 222 745 110 fax:+420 220 121 184
 -----------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5888 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20060321/4a4453b9/attachment.bin>