When querying a Windows DNS server with recursion disabled, the server gives back its list of root hints instead of refusing the request, as does a BIND server.
That list of root servers is significantly longer than a simple "query refused" answer. Ie. in our case BIND's response packet always has the same length as the request, which is 45 bytes for the shortest possible request and/or reply, but the Windows
server's response is constantly 431 bytes longer than the request. The response can be up to (476/45)=10.6 times as long as the query. So even if I configure the Windows DNS server to disallow recursion, it can be used in a DNS amplification attack with a
gain ratio of around 10.
So my question is: is there any way to make the Windows DNS server reject recursive queries altogether?
↧
Protecting Windows DNS Server from being abused for DNS amplification attacks
↧