[dns-operations] DNS ANY requests / UltraDNS

Florian Weimer fw at deneb.enyo.de
Sun Jan 13 10:17:15 UTC 2013

* Mark Andrews:

> So now recursive servers need to try all the authoritative servers
> trying to get a find non broken server.  Then they will return SERVFAIL
> to the clients which you the hope will do something sensible with the
> SERVFAIL response.
> This is a DoS attack on the recursive resolvers.  STOP IT.

If BIND has a denial-of-service vulnerability, you need to fix it in
your code.  Anyone can serve a zone that triggers the vulnerability,
so begging authoritative server operators to play along nicely does
not solve the problem.

More information about the dns-operations mailing list