Your DNS servers responds to UDP packets, which can be used by spoofing the source address of a UDP packet to attack another network. DNS is simply a popular UDP service. Thus, this is more of a firewall issue. Your firewall needs to ensure your UDP traffic is not being spoofed. Unless you are an ISP, there is not much you can do there. Rob's advice is good, but won't fundamentally fix this issue. Disabling UDP or enforcing DNS-SEC would resolve the issue, but may have challenges of their own. I'd recommend slaving your DNS to an ISP and let them deal with this.<br>
<br>-Travis<br><br><br><div class="gmail_quote">On Tue, Apr 2, 2013 at 12:47 AM, Rick Troth <span dir="ltr"><<a href="mailto:rmt@casita.net" target="_blank">rmt@casita.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Can someone explain to me how a DNS server is "open" to a DNS<br>
"amplification attack"?<br>
<br>
If I understand the basic concept, the reply addr is bogus (and is the<br>
target of the attack). What I don't understand is how I'm supposed to<br>
secure my DNS server from assisting the bad guys. If my DNS server is<br>
supposed to answer queries for my domain, how do I ensure that it only<br>
handles legit queries?<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
-- R; <><<br>
_______________________________________________<br>
colug-432 mailing list<br>
<a href="mailto:colug-432@colug.net">colug-432@colug.net</a><br>
<a href="http://lists.colug.net/mailman/listinfo/colug-432" target="_blank">http://lists.colug.net/mailman/listinfo/colug-432</a><br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br>"A careful reading of history clearly demonstrates ...<br>that people don't read history carefully.”<br><br>“We can't solve problems by using the same kind of thinking we used when we created them.”<br>
—Albert Einstein<br>