[dns-operations] DNS ANY record queries - Reflection Attacks

Robert Schwartz smellyspice at gmail.com
Wed Sep 12 15:30:53 UTC 2012


On Tue, Sep 11, 2012 at 1:12 PM, Chip Marshall <chip at 2bithacker.net> wrote:

>
> It appears to always be ANY queries with recursion desired set,
> which well behaved recursors shouldn't be sending to
> authoritatives in the first place. We've used that to identify
> and block apparently source IPs.
>
>
Just did a dump of the raw packets and we are seeing the same thing. I also
noticed a much lower number of non-ANY type packets, with the recursion bit
set (which we answered) and then stumbled upon a yet smaller number of ICMP
packets that then come back from the "answered" hosts indicating port not
reachable. So clearly there is an additional (yet small) level of junk that
could be filtered, perhaps solely based on the recusion bit.

Does anyone know if it is safe to drop all packets received with the
recursion bit set on an authoritative server? Are there any instance where
an authoritative server *should* respond to a query with this bit set?

Thanks,

-Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120912/60eb79ef/attachment.html>


More information about the dns-operations mailing list