Advisory Notice for Bind Default Configuration and Reflector Attacks

Paul Vixie paul at
Sun Apr 9 20:06:43 UTC 2006

> > 	All I see is a lot of recursive queries (+) to a authoritative
> > 	server which is not offering recursion.
> > 
> > 	Interative resolver ask non recursive queries. If you are
> > 	using a forward zone they you are not acting as a interative
> > 	resolver for the namespace covered.  Nameservers listed
> > 	in forwarders clauses need to be configured to accept recursive
> > 	queries.
> Mark is correct, my test was flawed.  Thanks for the clue.  Now I have
> to decide whether or not I should globally "allow-query { any; };" with
> recursion off (i.e., by friendly and at least return some NS records or
> just return REFUSED).  Any conventional wisdom?

if you return any kind of packet, you're a latent ddos reflector.  if you
respond with NS RRs, you're also a latent ddos amplifier.  either one is
bad, though the latter is slightly worse.

More information about the bind-workers mailing list