Wed, 12 Apr 2006
Open Recursive DNS servers
The slow but steady change of the Net from the cooperative network to the hostile environment full of fscking bastards continues: it seems the bad guys are using DNS servers as bandwidth amplifiers for DDoSes. Even CZ.NIC warns about open recursive DNS servers.
I thought that open recursive DNS servers are not a big threat (at most 10-fold bandwidth amplification, maybe less, low power of DNS servers, etc). So we had our DNS servers open. I often [ab]use this when I am on some foreign network where the DNS servers are not known (misconfigured DHCP or whatever), and I use our DNS servers in such situations.
Now it seems it is time to disable recursion for foreign IP addresses, and as for my laptop - I guess I will just install a cache-only DNS server there.
However, even with legal DNS queries it is possible to get a decent bandwidth amplification - for example, the query for our domain with RR type any is some 56 bytes, while the reply has 382 bytes - i.e. nice 6.8x amplification (with anonymization as a "nice" bonus). I don't think open recursion is the problem here. The problem is the connection-less nature of the UDP-based protocols. I am not sure about the solution, however. Maybe the TCP-only DNS even at the cost of higher bandwidth and resource usage, and higher latency of queries?