Actualités Actualités

Advisory notice for Open Recursive Nameservers

Home > Observatory and resources > News > Advisory notice for Open Recursive Nameservers
04/04/2006

As you have perhaps noticed in the media, denial-of-service (DoS)
attacks using DNS servers to get an amplification of the attack are
currently becoming more common.

These attacks all use ORNs, Open Recursive Nameservers. A recursive
DNS nameserver is “open” when it accepts to reply, not only to its
local network (as it should) but also to the whole world. It can
therefore be used as a proxy for the DoS attack. Being part of the
attack, it can engages the responsability of his administrator. Since
a DNS reply is typically larger than the request, the attack is
amplified, so the bad guy can save his bandwidth.

The AFNIC wants to remind that ORNs are a danger for the
whole Internet. These ORNs have few legitimate uses. The AFNIC strongly
recommends to stop the ORNs, following the techniques described in the
references. For instance, for the BIND program, using “recursion no”
is recommended. For the legitimate recursive service towards the local
network (and towards the clients if you are an access provider), you
need to use a second machine, or a second daemon or even the views of
BIND 9.

The AFNIC, together with other TLD registries, pursues its reflection
about this vulnerability and the best ways to counter it. One of the
possible ways is to stop serving the DNS requests from ORNs. At the
present time, surveys show that an important part of the nameservers
on the Internet are ORNs, which should call for our attention and for
action by the system administrators.

References

Securing an Internet Name Server
A very good practical synthesis for the system administrator.

DNS Amplification attacks
A good description of the current attacks.

The Continuing Denial of Service Threat Posed by DNS Recursion
Official advice from the USAn CERT.

Stop abusing my computer in DDOSes, thanks
A description of the first known case, known as “x.p.ctrc.cc”.

About Afnic

Afnic is the acronym for Association Française pour le Nommage Internet en Coopération, the French Network Information Centre. The registry has been appointed by the French government to manage domain names under the .fr Top Level Domain. Afnic also manages the .re (Reunion Island), .pm (Saint-Pierre and Miquelon), .tf (French Southern and Antarctic Territories), .wf (Wallis and Futuna) and .yt (Mayotte) French Overseas TLDs.

In addition to managing French TLDs, Afnic’s role is part of a wider public interest mission, which is to contribute on a daily basis, thanks to the efforts of its teams and its members, to a secure and stable internet, open to innovation and in which the French internet community plays a leading role. As part of that mission, Afnic, a non-profit organization, donates 90% of its profits to its Foundation for Digital Solidarity. Afnic is also the back-end registry for the companies as well as local and regional authorities that have chosen to have their own TLD, such as .paris, .bzh, .alsace, .corsica, .mma, .ovh, .leclerc and .sncf.

Established in 1997 and based in Saint-Quentin-en-Yvelines, Afnic currently has 80 employees.