[dns-operations] DNS Amplification Attacks

Paul Vixie paul at vix.com
Tue Mar 21 20:50:43 UTC 2006


# > Anyway if I had to choose between easy troubleshooting and open recursors
# > used as attack vector OR not-so-easy troubleshooting and closed attack
# > vector for bad guys, then I am for second option.

me too.  (even though, once we close the recursors, the bad guys will just
switch over to authority-DNS, or NTP or SMB, or go back to using unamplified
ICMP, and then we'll start all over, lather, rinse, repeat, until BCP38 comes.)

# Oh, we're absolutely agreed on that point.  I just meant to point out  one
# possible reason for operators to push back against closing open  recursors.

the reason i mostly heard a few weeks back was mobility.  IT departments like
to be able to send staffers home or on travel with laptops that are wired up
to use the IT department's nameservers, overriding any local DHCP offerings.
the only ways to continue doing that if the recursors are closed down are (1)
IPSEC tunnels and (2) query-level TSIG.  both of which will take some work to
get running.

and that's my quota for the day.



More information about the dns-operations mailing list