[dns-operations] Recently closed open resolver and reflection attacks

Paul Vixie paul at redbarn.org
Thu Mar 7 01:33:49 UTC 2013


WBrown at e1b.org wrote:
> I mistakenly wrote on 03/06/2013 11:36:20 AM:
>> Given that no properly configured server should be querying this 
> recursive 
>> name server for isc.org, 
> I meant to describe it as an authoritative server. Duh.  I'm having one of 
> those days....
> Sorry for the confusion.
> So to rephrase the question... 
> Is there any reason why recursive queries to an authoritative server that 
> would normally get a REFUSED reply shouldn't be dropped instead of getting 
> an answer?
> Maybe now that I've had lunch the brain will work better.

if the authority server in question is configured to be a primary or
secondary server for a zone which is at or above the qname, then the
correct answer is either authoritative-positive, authoritative-negative,
or servfail. servfail is if the zone data source is unavailable, such as
a missing primary zone file or an expired secondary zone cache file.

if said authoritity server is not configured to be a primary or
secondary for any zone at or above the qname, then the proper response
is refused. (not an upward delegation as a i once had it in bind8 -- my
apologies to all.)

the reason for these differences is to help in diagnostics.

recursive servers should behave reasonably, which at a minimum means,
not repeating the same query immediately. this can be done with a
hold-down timer or a negative cache, at the whim of the implementor.

since many recursive servers and many spoofed-source ddos attackers
repeat the query immediately, i'm in agreement that RRL should have a
threshold for "refused".

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130306/1ddd43d3/attachment.html>

More information about the dns-operations mailing list