Re: [gentoo-user] How to prevent a dns amplification attack

[Alan McKinnon <alan.mckinnon@gmail.com>]

On 28/03/2013 17:38, Michael Mol wrote:
> On 03/28/2013 04:51 AM, Norman Rieß wrote:
>> Hello,
>>
>> i am using pdns recursor to provide a dns server which should be usable
>> for everybody.The problem is, that the server seems to be used in dns
>> amplification attacks.
>> I googled around on how to prevent this but did not really find
>> something usefull.
>>
>> Does anyone got an idea about this?
> 
> I'm not sure it can be done. You can't make a resolver available to
> "everybody" without somebody in that "everybody" group abusing it, and
> that's exacly what happens in a DNS amplification attack.
> 
> Restrict your resolver to be accessible only to your network or, at
> most, those of the specific group of people you're seeking to help.
> 
> You *might* try restricting the resolver to only respond to TCP requests
> rather than UDP requests, 

NO NO NO NO NO

Under no circumstances ever do this. The service breaks horribly when
you do this and it has to work even remotely hard. Most likely your ISP
will outright ban you for that if you use the ISP's caches. I knwo I do,
and so does every other major ISP in this country.

but if the resolver sends response data along
> with that first SYN+ACK, then nothing is solved, and you've opened
> yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver
> went offline as a result of a SYN flood, at least it wouldn't be part of
> an amplification attack any longer...)


Or just use the ISP's DNS caches. In the vast majority of cases, the ISP
knows how to do it right and the user does not.


-- 
Alan McKinnon
alan.mckinnon@gmail.com