On Tue, Jul 07, 2020 at 03:00:13PM +0200, Michael De Roover <i...@nixmagic.com> wrote a message of 46 lines which said:
> The command used to test this was apparently "dig +short > test.openresolver.com TXT @your.name.server". ANY instead of TXT may be more efficient (specially with +dnssec), if the goal is to get the maximum amplification. Of course, if the server implements RFC 8482, ANY won't help. > Authoritative name servers may not need a huge DNS infrastructure > for a small-ish zone (say under 1k records), but recursors on the > scale of Google and Cloudflare in particular (not sure how popular > Quad9 is so far).. those use massive infrastructure including > anycast and everything! I'd consider it safe to assume that their > servers are at least on the order of 100Gbps cumulatively, if not > more. This is precisely what makes them dangerous. They are good reflectors (good from the point of view of the attacker). On the other hand, they typically implement various forms of rate-limiting, and they are monitored closely by knowledgeable professionals so, they may not be good reflectors after all. > If these would be vulnerable to amplification attacks just because > they allow recursion, They're not vulnerable, this attack works by reflection (just like the NTP attack you mentioned) so they are not the potential victims, they could be used as helpers. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
