<<< Date Index >>>     <<< Thread Index >>>

Re: recursive DNS servers DDoS as a growing DDoS problem



MaddHatter wrote:
We discussed recursive DNS servers before (servers which allow to query
anything - including what they are not authoritative for, through them).
...
One of the problems is obviously the spoofing. ...


Maybe I'm misunderstanding the problem here (but I don't think so). It
seems to be the issue is not DNS -- recursive or not, but rather a failure
to adhere to BCP 38.
        http://rfc.net/bcp38.html

One may get easier/larger amplification from a recursive DNS server,
but the same problem exists for a non-recursive server. DNS, then, isn't
really where the problem needs to be fixed.

You are right, to a degree.

Spoofing is indeed the attack vector and it can also be utilized for NTP, ICMP, etc. It is to blame.

Still, DNS is what's being exploited and in my opinion a broken feature being exploited needs fixing, or it will be exploited.