Re: recursive DNS servers DDoS as a growing DDoS problem


BCP38 is implimented at the gateway but not at every router) then how
exactly is locking down recursive servers so you can only use yours
going
to
solve anything?

uh... caching maybe?... the second field of your answer section when using
dig..

The flood is a flood of answers not queries, you spoof the source address of
a query with the address of your target, the target gets the response from
the dns server. A cache on the dns server just makes it a more efficient
response.

no, its not, and it doesnt require that all internet sofware be rewritten,
it means that they either need to be
recompiled, or just have the dynamicly linked library they use for dns
resolution to be replaced..

Ok fine, it would just mean that everyone on the planet would need to
replace all their internet enabled software with new versions. That'll
happen overnight.. I think it's still an unrealistic goal.

i think its pretty obvious that locking down dns servers at least brings
the
DNS attacks down to the same problem weve always had..
that being good old fashioned udp packeting. and at that point.. why
bother
using dns..

I have not seen a perfect solution yet, at best the solutions I've seen
mentioned eliminate this one flood vector. I would suggest that when
considering which one to choose we look at what we lose with each choice.
Eliminate spoofing and you lose virtually nothing, eliminate open recursive
servers and you have just created a really powerful control mechanism for
entities to control large sections of the internet since folks from those
sections won't be able to use anyone else's DNS servers or even run their
own (much like port 25 blocking limits who can run a mail server today). He
who controls dns controls the network.

Geo.

Relevant Pages

  • Re: [RFC] Automated generation of /etc/resolv.conf from the rc.d script
    ... DNS servers we learn from DHCP. ... +# resolv. ... Implement creation of namedforwarders file via /etc/rc.d/resolv ... +as the first DNS server when building of the forwarders file is enabled. ...
    (freebsd-current)
  • Re: recursive DNS servers DDoS as a growing DDoS problem
    ... A cache on the dns server just makes it a more efficient ... I.e. from the amount of querying clients, the number of so-called "relaying servers", possible /effective/ amplification and the size of the TXT SOA record. ... Yes, in my opinion recursion should be put under better control, but it's what-a-mole all over again if we do it by running after servers. ... There were no direct lists to handle DNS or botnets issues until not long ago, still - should we just skip a list whenever you are disagreed with? ...
    (Bugtraq)
  • Re: Why adding secondary IP to NIC of DNS servers failed ?
    ... network on the 1.0.0.x subnet and some DNS servers on the 200.1.1.x subnet, ... When you added the 1.0.0.x address to the DNS server, ... If you don't have the 1.0.0.x application servers and the 1.0.0.x DNS ... If only the 1.0.0.x network is having trouble, ...
    (microsoft.public.windows.server.dns)
  • Re: Why adding secondary IP to NIC of DNS servers failed ?
    ... I thought you said the 200.1.1.x network was having problems. ... between the 1.0.0.x application servers and the DNS servers? ... Can you ping the DNS server from the application server? ... confers no rights. ...
    (microsoft.public.windows.server.dns)
  • Re: Why adding secondary IP to NIC of DNS servers failed ?
    ... When I added the 1.0.0.x IPs to the respective NICs on the DNS server, ... the application servers and devices on the same network 1.0.0.x experienced ... IPs to the TCP/IP properties on the respective DNS Servers ...
    (microsoft.public.windows.server.dns)