nanog mailing list archives
Re: Tightened DNS security question re: DNS amplification attacks.
From: Phil Pennock <phil.pennock () spodhuis org>
Date: Thu, 29 Jan 2009 11:54:14 -0800
On 2009-01-29 at 14:01 +0100, Florian Weimer wrote:
* Mark Andrews:The most common reason for recursive queries to a authoritative server is someone using dig, nslookup or similar and forgeting to disable recursion on the request.
Useful to know, thanks. So someone performing diagnostics on one of the root/gTLD/ccTLD servers would need to remember to dig +norec when checking visibility? Are manual diagnostics going out from the source IP of such auth nameservers considered common? In any case, it's a small enough, and hopefully clued enough, sample of admins that it shouldn't be a problem. Any organisation seeking to add their auth nameservers to a public RBL of such IPs will have to accept the same constraint on needing clued staff. No tears shed at that.
dnscache in "forward only" mode also sets the RD bit, and apparently does not restrict itself to the configured forwarders list. (This is based on a public report, not on first-hand knowledge.)
Unless any of the root/gTLD/ccTLD nameservers are also running dnscache, it should be safe to drop UDP RD packets from those source IP addresses, as previously described. -Phil
Current thread:
- Re: cogent issues?, (continued)
- Re: cogent issues? Ray Sanders (Jan 28)
- Re: cogent issues? Wil Schultz (Jan 28)
- Re: cogent issues? John Martinez (Jan 28)
- RE: cogent issues? Ryan Werber (Jan 28)
- Re: cogent issues? John Martinez (Jan 28)
- Re: cogent issues? John Martinez (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Phil Pennock (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Phil Pennock (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Florian Weimer (Jan 29)
- Re: Tightened DNS security question re: DNS amplification attacks. Phil Pennock (Jan 29)
- Re: Tightened DNS security question re: DNS amplification attacks. William Allen Simpson (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Douglas C. Stephens (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. jay (Jan 27)
- Re: out-of-band access bandwidth Leigh Porter (Jan 27)
- Re: out-of-band access bandwidth Seth Mattinen (Jan 27)
- Re: out-of-band access bandwidth Leigh Porter (Jan 27)
- Re: out-of-band access bandwidth Seth Mattinen (Jan 27)