DNS security, amplification attacks and recursion

Michael De Roover isc at nixmagic.com
Tue Jul 7 13:00:13 UTC 2020


Recently I discussed with a friend of mine the idea of NTP and DNS in 
the context of denial of service attacks. In NTP this amplification 
attack is done with the monlist command (that should honestly never have 
been publicly available due to its purpose being pretty much entirely 
debugging-related). The DNS version was rather unclear to me however.

Said friend said to me that he tested my authoritative name servers and 
found them to be not vulnerable. I don't run the latest and greatest of 
BIND at all, I mean it's Debian distribution packages we're talking 
about there... But they were set up to be exclusively authoritative. 
They do not respond to recursive queries. It appears that the test of 
whether a server is "vulnerable" or not has to do with this. The command 
used to test this was apparently "dig +short test.openresolver.com TXT 
@your.name.server". That's simply a recursive query of what appears to 
be an arbitrary record to me.

This also meant that supposedly the recursive DNS servers from Google, 
Cloudflare and Quad9 were all considered vulnerable. I find this very 
hard to believe. Authoritative name servers may not need a huge DNS 
infrastructure for a small-ish zone (say under 1k records), but 
recursors on the scale of Google and Cloudflare in particular (not sure 
how popular Quad9 is so far).. those use massive infrastructure 
including anycast and everything! I'd consider it safe to assume that 
their servers are at least on the order of 100Gbps cumulatively, if not 
more. If these would be vulnerable to amplification attacks just because 
they allow recursion, wouldn't skids be jumping on this like there's no 
tomorrow? It doesn't make any sense to me.

This seems to be not very well documented online (or more likely my 
search terms aren't right), so yeah... I wonder why the idea of 
recursion became associated with a vulnerable server in the first place.

Met vriendelijke groet / Best regards,
Michael De Roover

More information about the bind-users mailing list