[BlueOnyx:12687] Re: DNS Spamming

Michael Stauber mstauber at blueonyx.it
Sat Mar 30 16:17:13 -05 2013 

Hi Colin,

> We always have recursion off.
> 
> This does not stop ANY? queries as Michael pointed out.

Exactly. Let me elaborate a bit on that point, as I might have missed
doing so in my earlier message:

On an "open" DNS server that allows recursion, you can send an ANY?
request for a very large DNS zone file. Like the one from Google, Amazon
(to name companies) or <gasp> the entire RIPE root zone or another large
one.

That tiny ANY? request will be around 56 bytes long, but your DNS server
will reply with a large clunker of data. Which - if the source UDP
address is spoofed - hits an innocent bystander right in the face.

If you turn recursion off, ANY? requests for zones your DNS server is
not authoritative for will be rejected. So your DNS server can't be used
to slap someone over the head with the RIPE zone.

However, your DNS server will still respond to ANY? requests that it is
authoritative for. These are a lot smaller than root zone files and
their immediate children. But they're still sufficiently larger than the
initial UDP request that was sent to you.

So any DNS server that's not allowing recursion, but responds to
query-requests can still be used as tool in a DDoS attack. This is no
hypothetical scenario, as I see it on a daily basis.

There are a few remedies to this. You can throw iptables 'recent' at it,
can modify fail2ban (or similar) to parse more verbose DNS logfiles for
ANY requests, can use a DNS-proxy to filter out or limit ANY? requests
and a few other improvisations.

However, they're all band aids. The fundamental problem is that design
flaw in Bind. It's neither sensible nor wise to allow thousands of ANY?
requests from the same source in a short amount of time.

So the rate-limit patch that was suggested needs to finally make it into
Bind - ASAP. And/or upstream has to roll out the patched versions of
Bind for this.

I'm contemplating of rolling a modified Bind out for BlueOnyx, which
incorporates said patch. But I'm hoping that the Bind makers and
upstream come to senses soon and just do what has to be done.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list