Advisory notice for Open Recursive Nameservers

As you have perhaps noticed in the media, denial-of-service (DoS) attacks using DNS servers to get an amplification of the attack are currently becoming more common.

These attacks all use ORNs, Open Recursive Nameservers. A recursive DNS nameserver is "open" when it accepts to reply, not only to its local network (as it should) but also to the whole world. It can therefore be used as a proxy for the DoS attack. Being part of the attack, it can engages the responsability of his administrator. Since a DNS reply is typically larger than the request, the attack is amplified, so the bad guy can save his bandwidth.

The AFNIC wants to remind that ORNs are a danger for the whole Internet. These ORNs have few legitimate uses. The AFNIC strongly recommends to stop the ORNs, following the techniques described in the references. For instance, for the BIND program, using "recursion no" is recommended. For the legitimate recursive service towards the local network (and towards the clients if you are an access provider), you need to use a second machine, or a second daemon or even the views of BIND 9.

The AFNIC, together with other TLD registries, pursues its reflection about this vulnerability and the best ways to counter it. One of the possible ways is to stop serving the DNS requests from ORNs. At the present time, surveys show that an important part of the nameservers on the Internet are ORNs, which should call for our attention and for action by the system administrators.

References

• Securing an Internet Name Server
  A very good practical synthesis for the system administrator.
  
  
• DNS Amplification attacks
  A good description of the current attacks.
  
  
• The Continuing Denial of Service Threat Posed by DNS Recursion
  Official advice from the USAn CERT.
  
  
• Stop abusing my computer in DDOSes, thanks
  A description of the first known case, known as "x.p.ctrc.cc".