SoylentNews is people
SoylentNews
Sysadmins are making mistakes configuring and managing DNSSec, and it's leaving systems that should be secure open to exploitation in DNS reflection attacks.
That's the conclusion of Neustar, in a study released here and which found that of more than 1,300 DNSSec-protected domains tested 80 per cent could be used in an attack.
The domains in question had DNSSec deployed, and also responded to the DNS “ANY” query. The ANY request asks the responder to provide all information about a domain – the MX (mail server) records, IP addresses, and so on. An ANY request therefore returns a lot more information than a simple request for the domain's IP address.
[...] Neustar reckons on average, the poorly-configured DNSSec servers could amplify an attacker's traffic by 28.9 times; they turned an 80 byte query into a 2,313 response; and the biggest response they received from one of the protected servers was 17,377 bytes, 217 times the size of the query.
Unfortunately, all of this isn't a bug, it's a feature: even with DNSSec, the purpose of the system is to answer queries – so it's not a matter of applying a patch; it's about taking care of systems.
(Score: 3, Informative) by NotSanguine on Friday August 19 2016, @12:39AM
On top of that. If you are running a DNS server you should only serve your site.
This assumes that you are not authoritative for a DNS domain. If your DNS server is authoritative for a zone that's exposed to the Internet, not allowing queries will certainly bock any reflection attacks using your DNS server, but it will also have the added beneficial effect of making the servers in your domain unresolvable. Good times!
No, no, you're not thinking; you're just being logical. --Niels Bohr