Thus said Levi Pearson on Fri, 17 Jan 2014 23:26:21 -0700: > I don't know if you can even configure most DNS servers to just fail > to respond at all to a request with the recursion bit set.
dig +recurse www.google.com @131.155.71.143 Lest you think this is not a DNS server: dig +recurse any yp.to @131.155.71.143 And while technically speaking, it isn't a configuration that can be turned off and on---the software simply does not support recursion at all and does not respond to queries for which it is not authoritative---it is certainly possible to avoid this kind of amplification attack. So perhaps the problem that Daniel is facing is not one of recursion, but one of ``why does his software respond at all when it is not authoritative for the domains being queried against his DNS server?'' > I suspect that anyone who's trying to use a system for DNS > amplification attacks will eventually notice that it no longer does > recursive responses and stop sending spoofed requests. Do they care to look? :-) Andy -- TAI64 timestamp: 4000000052da248f /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
