On Fri, Jan 17, 2014 at 10:13 PM, Andy Bradford <[email protected]> wrote:
> Thus said Daniel Fussell on Fri, 17 Jan 2014 10:17:35 -0700:
>
>> Recently someone started using my DNS server for a DNS amplification
>> attack, forcing me to disable recursion for queries coming from
>> outside my network. It works well enough, but I'm now sending a denied
>> packet to the victim instead of a 4 kbyte TXT record, where I'd like
>> to send nothing at all.
>
> Why should it send anything in response to a request for recursion if
> you don't even have recursion enabled? Either the DNS server software is
> still misconfigured, or it's broken.
I don't follow. It seems pretty normal for an authoritative server to
reply to a request with the recursion bit set with the 'recursion not
available' code in the response. DNS is a UDP-based protocol (at
least for normal requests), and simply not answering is asking for a
retry. I don't know if you can even configure most DNS servers to
just fail to respond at all to a request with the recursion bit set.
I suspect that anyone who's trying to use a system for DNS
amplification attacks will eventually notice that it no longer does
recursive responses and stop sending spoofed requests. They're no
longer getting any amplification from your server, so their request
bandwidth is "better" spent on another recursive-allowing server.
--Levi
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
