Hello,

Recently I discussed with a friend of mine the idea of NTP and DNS in the context of denial of service attacks. In NTP this amplification attack is done with the monlist command (that should honestly never have been publicly available due to its purpose being pretty much entirely debugging-related). The DNS version was rather unclear to me however.

Said friend said to me that he tested my authoritative name servers and found them to be not vulnerable. I don't run the latest and greatest of BIND at all, I mean it's Debian distribution packages we're talking about there... But they were set up to be exclusively authoritative. They do not respond to recursive queries. It appears that the test of whether a server is "vulnerable" or not has to do with this. The command used to test this was apparently "dig +short test.openresolver.com TXT @your.name.server". That's simply a recursive query of what appears to be an arbitrary record to me.

This also meant that supposedly the recursive DNS servers from Google, Cloudflare and Quad9 were all considered vulnerable. I find this very hard to believe. Authoritative name servers may not need a huge DNS infrastructure for a small-ish zone (say under 1k records), but recursors on the scale of Google and Cloudflare in particular (not sure how popular Quad9 is so far).. those use massive infrastructure including anycast and everything! I'd consider it safe to assume that their servers are at least on the order of 100Gbps cumulatively, if not more. If these would be vulnerable to amplification attacks just because they allow recursion, wouldn't skids be jumping on this like there's no tomorrow? It doesn't make any sense to me.

This seems to be not very well documented online (or more likely my search terms aren't right), so yeah... I wonder why the idea of recursion became associated with a vulnerable server in the first place.

--
Met vriendelijke groet / Best regards,
Michael De Roover
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to