As you have perhaps noticed in the media, denial-of-service (DoS) attacks using DNS servers to get an amplification of the attack are currently becoming more common.

These attacks all use ORNs, Open Recursive Nameservers. A recursive DNS nameserver is "open" when it accepts to reply, not only to its local network (as it should) but also to the whole world. It can therefore be used as a proxy for the DoS attack. Being part of the attack, it can engages the responsability of his administrator. Since a DNS reply is typically larger than the request, the attack is amplified, so the bad guy can save his bandwidth.

CZ.NIC wants to remind all its members that ORNs are a danger for the whole Internet. These ORNs have few legitimate uses. CZ.NIC strongly recommends to stop the ORNs, following the techniques described in the references. For instance, for the BIND program, using "recursion no" is recommended. For the legitimate recursive service towards the local network (and towards the clients if you are an access provider), you need to use a second machine, or a second daemon or even the views of BIND 9.

CZ.NIC, together with other TLD registries, pursues its reflection about this vulnerability and the best ways to counter it. One of the possible ways is to stop serving the DNS requests from ORNs. At the present time, surveys show that near 53 % of nameservers used in at least one ".cz" domain, are ORNs, which is quite worrying.

References:

Securing an Internet Name Server
http://www.cert.org/archive/pdf/dns.pdf. A very good practical synthesis for the system administrator.

DNS Amplification attacks
http://www.isotf.org/news/DNS-Amplification-Attacks.pdf.
A good description of the current attacks.

The Continuing Denial of Service Threat Posed by DNS Recursion
http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf. Official advice from the USAn CERT.

Stop abusing my computer in DDOSes, thanks
http://weblog.barnet.com.au/edwin/cat_networking.html.
A description of the first known case, known as "x.p.ctrc.cc".