[LINK] Open recursive nameservers used for DoS attacks

Robin Whittle rw at firstpr.com.au
Fri May 15 15:05:55 AEST 2009

Short version:  I had configured my nameserver to accept queries from
                any host on the Net, for domains other than my own.
                This meant it could be used as a DDoS amplifier.

I was puzzled be a repetitive series of outgoing packets from my
nameserver (bind 9 on CentOS 5.1, on my fixed IP-address
DSL-connected server at home).  They were long (~1492 byte),
text-based packets returning a reply to some IP address
which had (supposedly) requested it.

In fact, the request would have come from the attacker's machine, and
would have been sent with a spoofed source address - that of the

The request was for a TXT record in a Russian domain which does not
appear in Google.  My nameserver sent the reply, spanning several UDP
packets of lengths: 1492, 1492 and 1165 bytes, to the victim address.

The query packet to my nameserver was only 71 bytes, so this is about
a 58:1 amplification factor of the attacker's effort.   This was
happening every few seconds.

This form of Distributed Denial of Service (DDoS) attack is described in:

  Open Recursive Nameservers What’s the problem with that?
  Students:  P. van Abswoude, P. Tavenier
  Supervising teachers:  J.P. Velders, K. Koymans
  System and Network Engineering, University of Amsterdam
  Final Version February 5, 2007


The solution was in section 5.2.1 of the above report - to configure
bind 9 to only accept recursive queries from machines on my LAN,
rather than from anywhere in the Net.  In the options section of my
named.conf file, I added:

  allow-recursion {; };

and all was well.

I have added this to my notes on configuring bind and other things:


  - Robin

More information about the Link mailing list