By the way, when self-hosting open DNS resolvers, add some security measures and monitoring or your shiny new server will mostly deliver DNS amplification attacks to people after a few weeks. That seems to be missing in the config here.
Not very likely unless the SOA contains more records than simply for the author’s resources. Also, I think it’s assumed that DNSSEC is configured, but the author doesn’t specify.
Seems knot-dns has DNSSEC turned on per default. But what’s all the IP addresses in the config for, if not to offer recursive lookup?
That enables an amplification attack. I think they’ll do lookups to put strain on other servers, not necessarily your zones.That enables an amplification attack.
Technically, you’re right.
An amplification attack is just telling the server to respond to a different/wrong ip with the response to a query than the actual asking request. This is solved generally with DNSSEC verifying the origin and requester ips match, if not, the request is dumped.
However, if your authoritative server doesn’t have records for the request, it will simply forward it (if configured to do so) to an upstream and probably hardened server, or drop the request. Either way, it becomes not your problem.
So unless the amplification attack is asking for records your server is actually hosting and for which your server is authoritative, this isn’t a huge concern.
Thanks! Learned something today. Last time I opened port 53 to the public it didn’t take long and I was sending out several Megabits per second in DNS traffic. Constantly. Mostly querying the same few things. But I guess I had it the wrong way round and that wasn’t the target. Or I’ve seen a different attack type… Guess I can now try again with the new knowledge.
