On 03/28/2013 03:16 PM, Alan McKinnon wrote: > On 28/03/2013 17:38, Michael Mol wrote: >> On 03/28/2013 04:51 AM, Norman Rieß wrote: >>> Hello, >>> >>> i am using pdns recursor to provide a dns server which should be usable >>> for everybody.The problem is, that the server seems to be used in dns >>> amplification attacks. >>> I googled around on how to prevent this but did not really find >>> something usefull. >>> >>> Does anyone got an idea about this? >> >> I'm not sure it can be done. You can't make a resolver available to >> "everybody" without somebody in that "everybody" group abusing it, and >> that's exacly what happens in a DNS amplification attack. >> >> Restrict your resolver to be accessible only to your network or, at >> most, those of the specific group of people you're seeking to help. >> >> You *might* try restricting the resolver to only respond to TCP requests >> rather than UDP requests, > > NO NO NO NO NO > > Under no circumstances ever do this. The service breaks horribly when > you do this and it has to work even remotely hard. Most likely your ISP > will outright ban you for that if you use the ISP's caches. I knwo I do, > and so does every other major ISP in this country.
Er, what? When we're talking about a recursive resolver requiring clients connecting to it to use TCP, what does upstream care? He's talking about running his own open DNS server. > > but if the resolver sends response data along >> with that first SYN+ACK, then nothing is solved, and you've opened >> yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver >> went offline as a result of a SYN flood, at least it wouldn't be part of >> an amplification attack any longer...) > > > Or just use the ISP's DNS caches. In the vast majority of cases, the ISP > knows how to do it right and the user does not. Generally true, though I've known people to choose not to use ISP caches owing to the ISP's implementation of things like '*' records, ISPs applying safety filters against some hostnames, and concerns about the persistence of ISP request logs.
signature.asc
Description: OpenPGP digital signature
