[LINK] Open recursive nameservers used for DoS attacks

Robin Whittle rw at firstpr.com.au
Fri May 15 16:22:03 AEST 2009

Hi Barrie,

Thanks very much for pointing this out:

> The problem with this solution is that Bind 9 still returns your "hints"
> file with this query. I have ended up black holing the spoofed address. 
> (I don't have a solution for BIND9).

Indeed it does.  The reply with the hints file is 686 bytes - an
improvement on the previous total of 4149 bytes, but still an
amplification of the attacker's effort of 71 bytes.

More information on the problem is here:


     If your nameserver is an authoritative server for your domains
     then it should not offer recursion at all. If your nameserver is
     a caching resolver for your own use then recursion should be
     restricted to questions from your own IPs only. Also consider
     firewalling off your resolver to only allow access from IPs that
     should have it.

     It is not recommended to use a single nameserver as both a
     caching resolver and an authoritative server.

This server is my gateway machine between the LAN and the Net, on a
single IP address from my fixed IP address DSL service.

On the LAN site, queries arrive at

I suppose I could run two instances of bind 9, one to be the
authoritative server for queries from the outside world - to respond
only to queries on the public IP address - and the other to respond
only to and act as a recursive caching nameserver.

This is contemplated in:


but running two instances of bind sounds like trouble to me.

Another approach is "split views":


This suggests having two copies of the zone files, which seems odd.
I guess one set could be symlinked from the other.

Do you think this would stop the nameserver sending back responses
with the hints file when a request arrives from the outside Net for a
domain it is not authoritative for?

  - Robin

More information about the Link mailing list