nanog mailing list archives
Re: Tightened DNS security question re: DNS amplification attacks.
From: Phil Pennock <phil.pennock () spodhuis org>
Date: Wed, 28 Jan 2009 15:21:23 -0800
Sorry to follow up to myself; a few more moments reviewing before sending were warranted. On 2009-01-28 at 15:11 -0800, Phil Pennock wrote:
I'd be perfectly happy to have X list every root server, gTLD server and ccTLD server, as a starting point, on the basis that none of those should ever be sending out RD queries,
Before I get grilled on this point: it's not strictly true, since obviously things like looking up the IPs of secondary servers to send NOTIFY requests to may use recursive DNS. Okay, unless you're running a nameserver which secondaries from the gTLD/ccTLD/root servers, you have no reason to see RD packets from those servers. Hopefully that's accurate enough to appease people who'll otherwise concentrate on that point and lose sight of what I was trying to show -- that *most* people could easily make use of such an RBL, if the nameservers supported using an external file for ignoring RD queries without dropping all traffic. As people upgrade Bind naturally, the number of reflectors that could participate in an attack would go down. Get the OS vendors to use default configs which set a Bind option to maintain the file automatically and you're getting most of the way there, by sheer number of DNS servers. -Phil
Current thread:
- Re: Tightened DNS security question re: DNS amplification attacks., (continued)
- Re: Tightened DNS security question re: DNS amplification attacks. Jack Bates (Jan 28)
- cogent issues? John Martinez (Jan 28)
- Re: cogent issues? Brandon Galbraith (Jan 28)
- Re: cogent issues? Ray Sanders (Jan 28)
- Re: cogent issues? Wil Schultz (Jan 28)
- Re: cogent issues? John Martinez (Jan 28)
- RE: cogent issues? Ryan Werber (Jan 28)
- Re: cogent issues? John Martinez (Jan 28)
- Re: cogent issues? John Martinez (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Phil Pennock (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Phil Pennock (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Florian Weimer (Jan 29)
- Re: Tightened DNS security question re: DNS amplification attacks. Phil Pennock (Jan 29)
- Re: Tightened DNS security question re: DNS amplification attacks. William Allen Simpson (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Douglas C. Stephens (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. jay (Jan 27)
- Re: out-of-band access bandwidth Leigh Porter (Jan 27)