DNS Hammer LogoDNS Hammer

Frequently Asked Questions


Q: What does DNS Hammer do?
A: DNS Hammer checks, if a DNS server can be abused to generate unwanted traffic.
This unwanted traffic can be used to run a denial of service against a third party. This attack is known as "DNS Reflection".
   
Q: Why should I care?
A: The traffic generated by an attacker hurts you as much as the victim. Your uplink can be filled with undesired DNS responses.
   
Q: How much traffic are we talking about?
A: Depending on the configuration, a response can be 20 or 30 times bigger than the request. Here is an example:
  • Let's assume, that an infected sends requests at a modest rate of 1 MBit/sec.
  • As a result your server would send 20 to 30 MBit/sec.
  • Typical attacks use a network with thousands of infected computers, all sending bogus requests. The sheer volume keeps the DNS server from responding to legitimate queries.
   
Q: This tool exposes DNS servers that could be use in a reflection attack. Aren't you helping the bad guys by publishing this tool?
A: This is a bit like nmap and many other tools used for security audits.
Then again: DNS Hammer intentionally has no support for scripting or mass scanning a list of domains.
   
Q: Can I audit IDN-domains with DNS Hammer?
A: Yes. Domain names are translated to punycode before they are processed.
   
Q: Do you plan a version for Linux?
A: No
   
Q: How do I activate DNS rate limiting for my server?
A: This depends on your software. Here a few selected links:
   
Q: Can you help me configuring DNS rate limiting for my DNS server?
A: No. Sorry, we are not in the consulting business. If you don't know where to start, we suggest to apply the limits that you find for domains like isc.org
   
Q: Can you at least give me a starting configuration?
A: Here are a few starting values for a site with few DNS host names.
These values are probably too small, if you have a decent number of hosts and subdomains.

rate-limit {
    window 20; // Seconds to bucket
    ipv4-prefix-length 24;
    ipv6-prefix-length 56;
    responses-per-second 30; // # of good responses per prefix-length/sec
    referrals-per-second 5;
    nodata-per-second 5;
    nxdomains-per-second 5;
    errors-per-second 5;
    all-per-second 30;
    max-table-size 80000; // 40 bytes * this number = max memory
    min-table-size 500; // pre-allocate to speed startup
};
tcp-clients 500;
   
Q: Should I activate rate limiting on my internal DNS server??
A: That is probably a bad idea. A network monitoring tool, asset management or any other tool collecting information from a large number of devices will certainly trigger the rate limit.
   
Q: Is DNS Hammer open source?
A: Not yet. We plan to release the source to github.com in the future. Before doing so we have to work out a few things.
   
Q: Could you add more resource record types to the test? What about TXT (text records), CNAME (canonical name or alias)?
A: The current mix should provide a good method to test your DNS server. Please send us an e-mail and describe why exactly we should more RR record types to the mix.