Sysadmins are making mistakes configuring and managing DNSSec, and it's leaving systems that should be secure open to exploitation in DNS reflection attacks.
That's the conclusion of Neustar, in a study released here and which found that of more than 1,300 DNSSec-protected domains tested 80 per cent could be used in an attack.
The domains in question had DNSSec deployed, and also responded to the DNS “ANY” query. The ANY request asks the responder to provide all information about a domain – the MX (mail server) records, IP addresses, and so on. An ANY request therefore returns a lot more information than a simple request for the domain's IP address.
[...] Neustar reckons on average, the poorly-configured DNSSec servers could amplify an attacker's traffic by 28.9 times; they turned an 80 byte query into a 2,313 response; and the biggest response they received from one of the protected servers was 17,377 bytes, 217 times the size of the query.
Unfortunately, all of this isn't a bug, it's a feature: even with DNSSec, the purpose of the system is to answer queries – so it's not a matter of applying a patch; it's about taking care of systems.
(Score: 0) by Anonymous Coward on Thursday August 18 2016, @06:11PM
Yes! yes! but what about! this!
https://en.wikipedia.org/wiki/Denial-of-service_attack#HTTP_POST_DoS_attack [wikipedia.org]
(Score: 0) by Anonymous Coward on Thursday August 18 2016, @06:18PM
This DNS attack can be aimed at anyone, that one only gets machines running HTTP servers. Plus you can block that by black holing the IP targeting you as there has to be a handshake first.