- Newest
- Most votes
- Most comments
The DNS Server Spoofed Request Amplification DDoS vulnerability means that a nameserver will respond to "dig . NS @r53nameserver" with a long (amplified) response. If you try that query against any of our publically accessible authoritative nameservers you will see:
`; <<>> DiG 9 <<>> @ns-xxxx.awsdns-xx.co.uk. . NS
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached`
So Route53 nameservers are not susceptible to this vulnerability.
You may have seen this finding if the scanner ran within a VPC or on-prem against a Route53 resolver IP. Resolver endpoints are not exposed to the public and are accessible only from the clients that have access to the AWS VPC where the resolvers run and in addition, EC2 instances cannot send spoofed network traffic, so the attack described could not occur. Any such finding against Route53 resolver IPs can be disregarded.
Relevant content
- asked 2 years ago
- asked 7 months ago
- Accepted Answerasked 5 years ago
- asked 2 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
I think we are lacking a bit of the context in order to properly answer the question. When you mean "Route 53 endpoint", are you meaning Route 53 Outbound endpoints? Or just a CNAME record in R53 that points towards a public facing ALB?