The DNS server answers all queries, providing additional delegationinformation

1. The DNS server answers all queries, providing additional delegation
2. information to arbitrary IP addresses. It is possible to send a query
3. for the root zone (.) to the DNS server, and get an answer that is
4. much larger than the query (often more than 20 times in size). An
5. attacker could spoof the source IP address of the query, causing the
6. DNS server to respond to the source IP with the larger answer. An
7. attacker could focus these answers on a single target, resulting in
8. a Denial of Service for that IP. Additionally, the amplification attack
9. represents a risk to the DNS server in the form of Denial of Service.
10. The server would have reduced ability to respond to legitimate DNS
11. queries due to consumed system resources and and higher network
12. traffic levels. Verification of this must be done from an host that is
13. not on the network/intranet of the DNS server. Command to verify
14. from a UNIX based system: 'dig -t NS . @IP.OF.DNS.SERVER' or
15. 'host -v -t NS . IP.OF.DNS.SERVER'. On Windows, run 'nslookup -
16. type=NS . IP.OF.DNS.SERVER'. If the response received includes
17. answer and additional sections that lists a number of hosts (often on
18. 'root-servers.net'), then the system is vulnerable. The SANS Internet
19. Storm Center has also provided an online tool to verify this issue (see
20. the link to sans.org in the references).
21. Note: Vulnerabilities which result only in denial of service do not affect
22. PCI compliance; however, they may still be critical to your systems.