MaddHatter wrote:
We discussed recursive DNS servers before (servers which allow to query
anything - including what they are not authoritative for, through them).
...
One of the problems is obviously the spoofing. ...
Maybe I'm misunderstanding the problem here (but I don't think so). It
seems to be the issue is not DNS -- recursive or not, but rather a failure
to adhere to BCP 38.
http://rfc.net/bcp38.html
One may get easier/larger amplification from a recursive DNS server,
but the same problem exists for a non-recursive server. DNS, then, isn't
really where the problem needs to be fixed.
You are right, to a degree.
Spoofing is indeed the attack vector and it can also be utilized for
NTP, ICMP, etc. It is to blame.
Still, DNS is what's being exploited and in my opinion a broken feature
being exploited needs fixing, or it will be exploited.
