DNS security, amplification attacks and recursion

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Jul 7 13:22:16 UTC 2020

On Tue, Jul 07, 2020 at 03:00:13PM +0200,
 Michael De Roover <isc at nixmagic.com> wrote 
 a message of 46 lines which said:

> The command used to test this was apparently "dig +short
> test.openresolver.com TXT @your.name.server".

ANY instead of TXT may be more efficient (specially with +dnssec), if
the goal is to get the maximum amplification. Of course, if the server
implements RFC 8482, ANY won't help.

> Authoritative name servers may not need a huge DNS infrastructure
> for a small-ish zone (say under 1k records), but recursors on the
> scale of Google and Cloudflare in particular (not sure how popular
> Quad9 is so far).. those use massive infrastructure including
> anycast and everything! I'd consider it safe to assume that their
> servers are at least on the order of 100Gbps cumulatively, if not
> more.

This is precisely what makes them dangerous. They are good reflectors
(good from the point of view of the attacker). On the other hand, they
typically implement various forms of rate-limiting, and they are
monitored closely by knowledgeable professionals so, they may not be
good reflectors after all.

> If these would be vulnerable to amplification attacks just because
> they allow recursion,

They're not vulnerable, this attack works by reflection (just like the
NTP attack you mentioned) so they are not the potential victims, they
could be used as helpers.

More information about the bind-users mailing list