Open DNS resolvers are recursive DNS servers that are configured to accept queries from any computers on the Internet. These act as relays between users and authoritative DNS servers; they receive queries for any domain name, find the authoritative name server responsible for it and relay the information obtained from that server back to the user.
Meanwhile, authoritative name servers, like those operated by DNSimple, easyDNS and TPP Wholesale, will only respond to queries concerning the domain names they serve.
The extra work required to target such servers suggests that the attackers behind the recent attacks on these DNS hosting providers were well prepared and did their homework in advance, Morales said.
One mitigation against this kind of attack is to configure the DNS server software to force all "ANY" queries sent over UDP (User Datagram Protocol) to be resent over TCP (Transmission Control Protocol) instead, Eden said. This can be done by sending a UDP response with the TC bit set and an empty answer section. A legitimate DNS client will retry over TCP, while a bogus client will get no benefit, he said.
In the case of open resolvers, the problem can be mitigated by restricting which IP addresses are allowed to query them, said Morales. For example, an ISP operating a DNS resolver for its customers can restrict its use to only IP addresses from its network, he said.
However, this kind of mitigation is not applicable to authoritative name servers because they are meant to be queried by anyone on the Internet who wants to get information about the specific domain names served by them, Morales said. The mitigation described by Eden is very good and is actually one that Arbor also uses to protect authoritative name servers, he said. Another mitigation is to enforce a query rate limit for source IP addresses, he said.
Sign up for CIO Asia eNewsletters.