Comments on: DNS Amplification Denial of Service – GoDaddy DNS Servers Fail PCI Compliance

By: Teresa

Teresa — Fri, 24 Apr 2009 21:35:51 +0000

The vulnerability scans for PCI Compliance were stating that my DNS server had a problem of allowing third-party recursive queries and thus they failed the scan. I have done more digging and discovered it was actually my DSL Modem/Router that was allowing third-party recursive look-ups and NOT AT&T’s DNS servers. I have resolved the problem with my router, passed the vulnerability scan and am now PCI Compliant. And I am still using AT&T’s DSL service with their DNS. So AT&T’s DNS is compliant.

By: i.nconspicuo.us

i.nconspicuo.us — Thu, 16 Apr 2009 01:56:14 +0000

Hi Teresa -

We just tried moving our domains to namecheap.com (they offer free DNS) and they were non-compliant as well, but they seem to be willing to work with us on getting the issue resolved. I’ll definitely keep you all posted.

By: Teresa

Teresa — Tue, 14 Apr 2009 22:47:54 +0000

I have found AT&T Yahoo ISP’s DNS servers to be non-compliant, as well. And they too have refused to change their DNS servers for “just one customer”. Can you recommend an ISP provider with PCI Compliant DNS servers? Thanks.

By: i.nconspicuo.us

i.nconspicuo.us — Sat, 04 Apr 2009 03:23:58 +0000

Yes Lawrence, I’ve contacted GoDaddy and they have said that they have no plans to change the way their DNS servers currently work.

By: Lawrence Pingree

Lawrence Pingree — Fri, 03 Apr 2009 22:54:07 +0000

I’m concerned as to why you are disclosing this as it seems questionable ethically. Have you reported this to Godaddy and given them time to try and fix this issue. If not, you are not practicing appropriate ethical disclosure.

By: DP

DP — Tue, 24 Mar 2009 16:47:35 +0000

My understanding was that ASVs could not fail clients on DOS since technically you can’t test DOS. Your opinion?