Thus said Levi Pearson on Fri, 17 Jan 2014 23:26:21 -0700:

> I don't know if  you can even configure most DNS  servers to just fail
> to respond at all to a request with the recursion bit set.

dig +recurse www.google.com @131.155.71.143

Lest you think this is not a DNS server:

dig +recurse any yp.to @131.155.71.143

And  while   technically  speaking,   it  isn't  a   configuration  that
can  be  turned  off  and  on---the software  simply  does  not  support
recursion  at all  and  does not  respond  to queries  for  which it  is
not  authoritative---it is  certainly  possible to  avoid  this kind  of
amplification attack.

So perhaps  the problem that Daniel  is facing is not  one of recursion,
but  one of  ``why does  his  software respond  at  all when  it is  not
authoritative for the domains being queried against his DNS server?''

> I  suspect  that  anyone  who's  trying   to  use  a  system  for  DNS
> amplification attacks  will eventually notice  that it no  longer does
> recursive responses and stop sending spoofed requests.

Do they care to look? :-)

Andy
-- 
TAI64 timestamp: 4000000052da248f



/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/

Reply via email to