DNS security, amplification attacks and recursion
Michael De Roover
isc at nixmagic.com
Tue Jul 7 13:00:13 UTC 2020
Recently I discussed with a friend of mine the idea of NTP and DNS in
the context of denial of service attacks. In NTP this amplification
attack is done with the monlist command (that should honestly never have
been publicly available due to its purpose being pretty much entirely
debugging-related). The DNS version was rather unclear to me however.
Said friend said to me that he tested my authoritative name servers and
found them to be not vulnerable. I don't run the latest and greatest of
BIND at all, I mean it's Debian distribution packages we're talking
about there... But they were set up to be exclusively authoritative.
They do not respond to recursive queries. It appears that the test of
whether a server is "vulnerable" or not has to do with this. The command
used to test this was apparently "dig +short test.openresolver.com TXT
@your.name.server". That's simply a recursive query of what appears to
be an arbitrary record to me.
This also meant that supposedly the recursive DNS servers from Google,
Cloudflare and Quad9 were all considered vulnerable. I find this very
hard to believe. Authoritative name servers may not need a huge DNS
infrastructure for a small-ish zone (say under 1k records), but
recursors on the scale of Google and Cloudflare in particular (not sure
how popular Quad9 is so far).. those use massive infrastructure
including anycast and everything! I'd consider it safe to assume that
their servers are at least on the order of 100Gbps cumulatively, if not
more. If these would be vulnerable to amplification attacks just because
they allow recursion, wouldn't skids be jumping on this like there's no
tomorrow? It doesn't make any sense to me.
This seems to be not very well documented online (or more likely my
search terms aren't right), so yeah... I wonder why the idea of
recursion became associated with a vulnerable server in the first place.
Met vriendelijke groet / Best regards,
Michael De Roover
More information about the bind-users