Advisory Notice for Bind Default Configuration and Reflector Attacks
Paul Vixie
paul at vix.com
Sun Apr 9 20:06:43 UTC 2006
> > All I see is a lot of recursive queries (+) to a authoritative
> > server which is not offering recursion.
> >
> > Interative resolver ask non recursive queries. If you are
> > using a forward zone they you are not acting as a interative
> > resolver for the namespace covered. Nameservers listed
> > in forwarders clauses need to be configured to accept recursive
> > queries.
>
> Mark is correct, my test was flawed. Thanks for the clue. Now I have
> to decide whether or not I should globally "allow-query { any; };" with
> recursion off (i.e., by friendly and at least return some NS records or
> just return REFUSED). Any conventional wisdom?
if you return any kind of packet, you're a latent ddos reflector. if you
respond with NS RRs, you're also a latent ddos amplifier. either one is
bad, though the latter is slightly worse.
More information about the bind-workers
mailing list