I hate to do it, but I would hate even more for our DNS servers to be used to attack an innocent third party. So, shortly here we will be disabling recursive queries from being allowed outside of our IP address ranges. I am currently logging traffic to our primary recursive server, to try to find people who are using this as a DNS server. Read on for more details.
The problem is that DNS uses UDP, so an attacker can send small queries with a spoofed address, and see a multiplication. In other words, for every <100 byte packet the attacker sends, they can cause up to 4KB of responses to be sent to the third party. These attacks are particularly horrible because they can allow an attacker on a modest DSL or T1 line to saturate a fairly hefty DS-3 line. No need for distributed denial of service across many machines…
We have shut down recursive queries on 220.127.116.11, our secondary preference recursive resolver, already. I'm currently logging traffic going to 18.104.22.168, our primary recursive resolver, and trying to see whom else may be using that server. At some point shortly, .2 will also be shut down for recursive queries.
I'm sad about it because it's nice to be able to run public services that people can reliably use.
So, if you are using one of our DNS servers, please switch to using your upstream ISPs DNS servers.comments powered by Disqus