[dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Mark Andrews marka at isc.org
Mon Jun 11 23:54:10 UTC 2012


If we have Attacker -> CPE -> Auth -> CPE -> Target why isn't the CPE
returning answers from its cache?

How much unauthenticated amplification in the DNS is acceptable?
Do we need to authenticate any response that results in amplification?
If we do how do we get from where we are now to where we need to be
without breaking everything in the process?

Attackers can hide their attacks in the noise to the extent that
only the target will be noticing that a attack is happening.
Diffferent qnames within a zone, bouncing off CPE and other recursive
servers, using a spread of zones.  It's only lack of sophistication
in the attack that is making the problem visible at auth servers
today.  It's only a matter of time before the attack becomes well
hidden if we play whack-a-mole.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list