[MaraDNS list] MaraDNS and denial-of-service attacks

Sam Trenholme maradns at gmail.com
Thu Mar 28 11:51:55 EDT 2013


I will probably make this entry a full blown blog, but in the
meantime, in light of the huge (300Gb/S) distributed denial-of-service
(DDOS) attack against Spamhaus that used DNS, here are my thoughts:

* MaraDNS 1 and Deadwood do not support a technology called “EDNS”
that allows for large DNS packets.  By only supporting 512-byte
packets, both DNS servers do not allow for the 100x amplification used
in this DDOS that other DNS servers have.

* My DNS software does not come with unrestricted recursive access
enabled by default, and the documentation strongly discourages open
recursion.

* I will have to double check, but, as I recall, the documentation and
example configuration files do not include an example with
unrestricted recursive access.

One feature that would be nice would be to be able to restrict how
much data my DNS server sends to a given IP (again, as noted above,
MaraDNS/Deadwood already has a form of this because they do not
support EDNS).  Unfortunately, since I am not developing new features
for MaraDNS like this without being compensated for my time, I would
need a corporate or government grant to implement this.

- Sam


More information about the list mailing list