[Dnsmasq-discuss] Help in DNS amplification attack

Albert ARIBAUD albert.aribaud at free.fr
Thu Jul 16 10:53:27 BST 2015


Hi AS,

Le Thu, 16 Jul 2015 11:40:42 +0530, "@shuToSH Ch at tURveDI"
<ashutosh.chaturvedi.31 at gmail.com> a écrit :

> HI,
> 
> using dnsmasq version 2.70, as mention in CHANGELOG that dns amplification
> attack has been fixed in this version.
> 
> but when checked this one
> 
> https://help.1and1.com/servers-c37684/parallels-plesk-c37703/troubleshooting-c85156/check-for-the-dns-amplification-attack-vulnerability-a791842.html
> 
> its not fixed, so anyone can help me this case how to fix this.??

Maybe I'm mistaken, but I think what this page actually tests for is
whether a given 1and1 hosted machine is an open DNS, not whether it has
a bug which allows DNS amplicifation.

Indeed being an open DNS makes the machine prone to being used for DNS
amplification attacks, but:

1) this test is specifically for 1and1 machines. Is your machine hosted
   by 1and1?

2) Whether a machine running dnsmasq is an open DNS or not depends on
*configuration*, not source code -- the fix is a correct configuration
(of dnsmasq and/or iptables/ip6tables).

> Thanks,
> AS

Amicalement,
-- 
Albert.



More information about the Dnsmasq-discuss mailing list