[dns-operations] blocking recursers

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Mar 29 09:31:07 UTC 2006


On Thu, Mar 23, 2006 at 12:28:28PM +0100,
 Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote 
 a message of 24 lines which said:

> For instance, AFNIC is *considering* sending a warning to each of
> its registrars about ORNs but it has not been done yet.

Done today, feel free to reuse it.


-------------- next part --------------
As you have perhaps noticed in the media, denial-of-service (DoS)
attacks using DNS servers to get an amplification of the attack are
currently becoming more common.

These attacks all use ORNs, Open Recursive Nameservers. A recursive
DNS nameserver is "open" when it accepts to reply, not only to its
local network (as it should) but also to the whole world. It can
therefore be used as a proxy for the DoS attack. Being part of the
attack, it can engages the responsability of his administrator. Since
a DNS reply is typically larger than the request, the attack is
amplified, so the bad guy can save his bandwidth.

AFNIC wants to remind all its members that ORNs are a danger for the
whole Internet. These ORNs have few legitimate uses. AFNIC strongly
recommends to stop the ORNs, following the techniques described in the
references. For instance, for the BIND program, using "recursion no"
is recommended. For the legitimate recursive service towards the local
network (and towards the clients if you are an access provider), you
need to use a second machine, or a second daemon or even the views of
BIND 9.

Of course, you can ask AFNIC for help or advices <hostmaster at nic.fr>.

AFNIC, together with other TLD registries, pursues its reflection
about this vulnerability and the best ways to counter it. One of the
possible ways is to stop serving the DNS requests from ORNs. At the
present time, surveys show that an important part of the nameservers
on the Internet are ORNs, which should call for our attention and for
action by the system administrators.


References :

Securing an Internet Name Server
http://www.cert.org/archive/pdf/dns.pdf. A very good practical
synthesis for the system administrator.

DNS Amplification attacks
http://www.isotf.org/news/DNS-Amplification-Attacks.pdf. A good
description of the current attacks.

The Continuing Denial of Service Threat Posed by DNS Recursion
http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf. Official
advice from the USAn CERT.

Stop abusing my computer in DDOSes, thanks
http://weblog.barnet.com.au/edwin/cat_networking.html. A description
of the first known case, known as "x.p.ctrc.cc".



More information about the dns-operations mailing list