DNS Hammer
Frequently Asked Questions
Q: | What does DNS Hammer do? | ||||||
A: | DNS Hammer checks, if a DNS server can be abused to generate unwanted traffic. This unwanted traffic can be used to run a denial of service against a third party. This attack is known as "DNS Reflection". |
||||||
Q: | Why should I care? | ||||||
A: | The traffic generated by an attacker hurts you as much as the victim. Your uplink can be filled with undesired DNS responses. | ||||||
Q: | How much traffic are we talking about? | ||||||
A: | Depending on the configuration, a response can be 20 or 30 times bigger than the request. Here is an example:
|
||||||
Q: | This tool exposes DNS servers that could be use in a reflection attack. Aren't you helping the bad guys by publishing this tool? | ||||||
A: | This is a bit like nmap and many other tools used for security audits. Then again: DNS Hammer intentionally has no support for scripting or mass scanning a list of domains. |
||||||
Q: | Can I audit IDN-domains with DNS Hammer? | ||||||
A: | Yes. Domain names are translated to punycode before they are processed. | ||||||
Q: | Do you plan a version for Linux? | ||||||
A: | No | ||||||
Q: | How do I activate DNS rate limiting for my server? | ||||||
A: | This depends on your software. Here a few selected links:
|
||||||
Q: | Can you help me configuring DNS rate limiting for my DNS server? | ||||||
A: | No. Sorry, we are not in the consulting business. If you don't know where to start, we suggest to apply the limits that you find for domains like isc.org | ||||||
Q: | Can you at least give me a starting configuration? | ||||||
A: | Here are a few starting values for a site with few DNS host names. These values are probably too small, if you have a decent number of hosts and subdomains.
rate-limit {
|
||||||
Q: | Should I activate rate limiting on my internal DNS server?? | ||||||
A: | That is probably a bad idea. A network monitoring tool, asset management or any other tool collecting information from a large number of devices will certainly trigger the rate limit. | ||||||
Q: | Is DNS Hammer open source? | ||||||
A: | Not yet. We plan to release the source to github.com in the future. Before doing so we have to work out a few things. | ||||||
Q: | Could you add more resource record types to the test? What about TXT (text records), CNAME (canonical name or alias)? | ||||||
A: | The current mix should provide a good method to test your DNS server. Please send us an e-mail and describe why exactly we should more RR record types to the mix. | ||||||