After Gandi was bought up and started taking extortion level prices for their domains I’ve been looking for an excuse to migrate registrar. Last week I decided to bite the bullet and move to Porkbun as I have another domain renewal coming up. However after setting up an account and paying for the transfer for 4 domains, I realized their DNS services are provided by Cloudflare!
I personally do not use Cloudflare, and stay far away from all of their products for various reasons.
Seems knot-dns has DNSSEC turned on per default. But what’s all the IP addresses in the config for, if not to offer recursive lookup?
That enables an amplification attack. I think they’ll do lookups to put strain on other servers, not necessarily your zones.Technically, you’re right.
An amplification attack is just telling the server to respond to a different/wrong ip with the response to a query than the actual asking request. This is solved generally with DNSSEC verifying the origin and requester ips match, if not, the request is dumped.
However, if your authoritative server doesn’t have records for the request, it will simply forward it (if configured to do so) to an upstream and probably hardened server, or drop the request. Either way, it becomes not your problem.
So unless the amplification attack is asking for records your server is actually hosting and for which your server is authoritative, this isn’t a huge concern.
Thanks! Learned something today. Last time I opened port 53 to the public it didn’t take long and I was sending out several Megabits per second in DNS traffic. Constantly. Mostly querying the same few things. But I guess I had it the wrong way round and that wasn’t the target. Or I’ve seen a different attack type… Guess I can now try again with the new knowledge.