Advisory Notice for Bind Default Configuration and Reflector Attacks

brad at brad at
Thu Mar 23 15:23:00 UTC 2006

No, that is the normal "referral" response that you should get from a server which refuses to recurse on your behalf.  There is still an amplification in terms of the number of bytes sent vs. received, but you don't amplify the number of packets.

We need to think about this.  Do we really want to be forced to take the djbdns solution of ignoring all out-of-zone queries?  That is just one of the things I have hated most about djbdns, but I am just one voice.  Am I so wrong to hate that mode of operation?

-----Original Message-----

From:  itojun at (Jun-ichiro itojun Hagino)
Subj:  Re: Advisory Notice for Bind Default Configuration and Reflector Attacks
Date:  Thu 2006 Mar 23 8:23 am
Size:  673 bytes
To:  bind9-workers at, bind-workers at

	(i cross-posted to bind9 and bind because i am unsure if they are
	still separate or not)

> The default configuration (open recursive servers) could potentially
> leave your systems vulnerable to being used in malicious attacks.
> We strongly advise you to reconfigure the recursive servers to
> mitigate this risk.

	my home was under the attack.  bad guys sent "MX for" and stuff.

	even though i restrict recursion, my server returned list of TLD
	servers (13 .com servers, packet size is almost 512 bytes).  so even
	though there is not traffic increse, i see 1 return packet against
	1 attack packet.  is it intentional, or am i using too old code?


This message sent via Versamail 3.0B on a Palm Treo 650.

More information about the bind-workers mailing list