Advisory Notice for Bind Default Configuration and Reflector Attacks

Fri Mar 24 17:43:28 UTC 2006

> > 	Test with "+norec".  That is the way iterative resolvers work.
> > 	REFUSED is what you want for recursive queries.
> 
> dig +norec does the right thing but the resolver doesn't appear
> to agree with your statement.
> 
> dig +norec results:
> 
>   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50216
>   ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
>   ;; QUESTION SECTION:
>   ;whois.example.com.            IN      A
> 
>   ;; ANSWER SECTION:
>   whois.example.com.     21600   IN      CNAME   whois.internic.net.
> 
> Resolver attempts (from tcpdump):
> 
> 09:13:54.416374 IP 192.168.121.22.60587 > 209.246.26.16.domain:  46413+ A? wh
> ois.example.com. (36)
> 09:13:54.422104 IP 192.168.121.22.60588 > 209.246.26.16.domain:  46794+ AAAA?
>  whois.example.com. (36)
> 09:13:54.433751 IP 209.246.26.16.domain > 192.168.121.22.60587:  46413 Refuse
> d- 0/0/0 (36)
> 09:13:54.434350 IP 192.168.121.22.60589 > 209.246.26.16.domain:  46413+ A? wh
> ois.example.com. (36)
> 09:13:54.438440 IP 209.246.26.16.domain > 192.168.121.22.60588:  46794 Refuse
> d- 0/0/0 (36)
> 09:13:54.440138 IP 192.168.121.22.60590 > 209.246.26.16.domain:  46794+ AAAA?
>  whois.example.com. (36)
> 09:13:54.450639 IP 209.246.26.16.domain > 192.168.121.22.60589:  46413 Refuse
> d- 0/0/0 (36)
> 09:13:54.451083 IP 192.168.121.22.60591 > 209.246.26.16.domain:  27708+ A? wh
> ois.example.com. (36)
> 09:13:54.460522 IP 209.246.26.16.domain > 192.168.121.22.60590:  46794 Refuse
> d- 0/0/0 (36)
> 09:13:54.461052 IP 192.168.121.22.60592 > 209.246.26.16.domain:  52237+ AAAA?
>  whois.example.com. (36)
> 09:13:54.469678 IP 209.246.26.16.domain > 192.168.121.22.60591:  27708 Refuse
> d- 0/0/0 (36)
> 09:13:54.469983 IP 192.168.121.22.60593 > 209.246.26.16.domain:  27708+ A? wh
> ois.example.com. (36)
> 09:13:54.476856 IP 209.246.26.16.domain > 192.168.121.22.60592:  52237 Refuse
> d- 0/0/0 (36)
> 09:13:54.477233 IP 192.168.121.22.60594 > 209.246.26.16.domain:  52237+ AAAA?
>  whois.example.com. (36)
> 09:13:54.486629 IP 209.246.26.16.domain > 192.168.121.22.60593:  27708 Refuse
> d- 0/0/0 (36)
> 09:13:54.494081 IP 209.246.26.16.domain > 192.168.121.22.60594:  52237 Refuse
> d- 0/0/0 (36)
> 
> As you can see, the CNAME is never returned.

	All I see is a lot of recursive queries (+) to a authoritative
	server which is not offering recursion.

	Interative resolver ask non recursive queries. If you are
	using a forward zone they you are not acting as a interative
	resolver for the namespace covered.  Nameservers listed
	in forwarders clauses need to be configured to accept recursive
	queries.

	Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org