Re: Tightened DNS security question re: DNS amplification attacks.

[Phil Pennock <phil.pennock () spodhuis org>]

On 2009-01-29 at 14:01 +0100, Florian Weimer wrote:
> * Mark Andrews:
> >     The most common reason for recursive queries to a authoritative
> >     server is someone using dig, nslookup or similar and forgeting
> >     to disable recursion on the request.

Useful to know, thanks.

So someone performing diagnostics on one of the root/gTLD/ccTLD servers
would need to remember to dig +norec when checking visibility?  Are
manual diagnostics going out from the source IP of such auth
nameservers considered common?  In any case, it's a small enough, and
hopefully clued enough, sample of admins that it shouldn't be a problem.

Any organisation seeking to add their auth nameservers to a public RBL
of such IPs will have to accept the same constraint on needing clued
staff.  No tears shed at that.

> dnscache in "forward only" mode also sets the RD bit, and apparently
> does not restrict itself to the configured forwarders list.  (This is
> based on a public report, not on first-hand knowledge.)

Unless any of the root/gTLD/ccTLD nameservers are also running dnscache,
it should be safe to drop UDP RD packets from those source IP addresses,
as previously described.

-Phil