Bind dns amplification attack
Matus UHLAR - fantomas
uhlar at fantomas.sk
Wed Mar 29 07:24:36 UTC 2023
>On 3/28/23 11:28 AM, Matus UHLAR - fantomas wrote:
>>Yes, this is one of the problem "authoritative zones for local use".
On 28.03.23 12:18, Grant Taylor via bind-users wrote:
>Authorizing the /zone/ for local use wasn't the problem. The problem
>was that the world could get some of that zone's data from the query
>cache even if they couldn't query the zone directly.
when was this?
querying cache is by default allowed for the same clients as recursion,
perhaps unless it was old BIND version.
>>The default root "hint" zone is only available for those who have
>>recursion available.
>I feel like the "root hint zone" is considerably different than "root
>zone" proper. The fact that they have different zone types seems to
>support that.
yes. The content of hint zone is abused to generate aplification attack:
Mar 26 16:03:53 fantomas named[1654]: client @0xe7379d50 195.88.25.138#59467 (.): query (cache) './ANY/IN' denied
If you have local root zone, response is provided by default, it can be
huge:
% dig +noanswer +noadditional +nocomments +nocmd +noquestion -t any . @fantomas.fantomas.sk
;; Query time: 0 msec
;; SERVER: 195.80.174.185#53(195.80.174.185)
;; WHEN: Wed Mar 29 09:23:27 CEST 2023
;; MSG SIZE rcvd: 2904
but default "type hint" root is treated as cache and REFUSED is sent.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.
More information about the bind-users
mailing list