Advisory Notice for Bind Default Configuration and Reflector Attacks

Gregory Neil Shapiro gshapiro at gshapiro.net
Fri Mar 24 17:17:46 UTC 2006 

> 	Test with "+norec".  That is the way iterative resolvers work.
> 	REFUSED is what you want for recursive queries.

dig +norec does the right thing but the resolver doesn't appear
to agree with your statement.

dig +norec results:

  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50216
  ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

  ;; QUESTION SECTION:
  ;whois.example.com.            IN      A

  ;; ANSWER SECTION:
  whois.example.com.     21600   IN      CNAME   whois.internic.net.

Resolver attempts (from tcpdump):

09:13:54.416374 IP 192.168.121.22.60587 > 209.246.26.16.domain:  46413+ A? whois.example.com. (36)
09:13:54.422104 IP 192.168.121.22.60588 > 209.246.26.16.domain:  46794+ AAAA? whois.example.com. (36)
09:13:54.433751 IP 209.246.26.16.domain > 192.168.121.22.60587:  46413 Refused- 0/0/0 (36)
09:13:54.434350 IP 192.168.121.22.60589 > 209.246.26.16.domain:  46413+ A? whois.example.com. (36)
09:13:54.438440 IP 209.246.26.16.domain > 192.168.121.22.60588:  46794 Refused- 0/0/0 (36)
09:13:54.440138 IP 192.168.121.22.60590 > 209.246.26.16.domain:  46794+ AAAA? whois.example.com. (36)
09:13:54.450639 IP 209.246.26.16.domain > 192.168.121.22.60589:  46413 Refused- 0/0/0 (36)
09:13:54.451083 IP 192.168.121.22.60591 > 209.246.26.16.domain:  27708+ A? whois.example.com. (36)
09:13:54.460522 IP 209.246.26.16.domain > 192.168.121.22.60590:  46794 Refused- 0/0/0 (36)
09:13:54.461052 IP 192.168.121.22.60592 > 209.246.26.16.domain:  52237+ AAAA? whois.example.com. (36)
09:13:54.469678 IP 209.246.26.16.domain > 192.168.121.22.60591:  27708 Refused- 0/0/0 (36)
09:13:54.469983 IP 192.168.121.22.60593 > 209.246.26.16.domain:  27708+ A? whois.example.com. (36)
09:13:54.476856 IP 209.246.26.16.domain > 192.168.121.22.60592:  52237 Refused- 0/0/0 (36)
09:13:54.477233 IP 192.168.121.22.60594 > 209.246.26.16.domain:  52237+ AAAA? whois.example.com. (36)
09:13:54.486629 IP 209.246.26.16.domain > 192.168.121.22.60593:  27708 Refused- 0/0/0 (36)
09:13:54.494081 IP 209.246.26.16.domain > 192.168.121.22.60594:  52237 Refused- 0/0/0 (36)

As you can see, the CNAME is never returned.

More information about the bind-workers mailing list