[BlueOnyx:12692] Re: DNS Spamming

Roy Urick rurick at usa.net
Sat Mar 30 19:22:48 -05 2013 

Forgive my ignorance, but is there a good reason to allow an ANY request at all times? Is it possible to make bind ignore non-specific name queries? It seems to me an any request should only be applicable for zone transfers for most instances. 



Sent from my iPhone

On Mar 30, 2013, at 5:17 PM, Michael Stauber <mstauber at blueonyx.it> wrote:

> Hi Colin,
> 
>> We always have recursion off.
>> 
>> This does not stop ANY? queries as Michael pointed out.
> 
> Exactly. Let me elaborate a bit on that point, as I might have missed
> doing so in my earlier message:
> 
> On an "open" DNS server that allows recursion, you can send an ANY?
> request for a very large DNS zone file. Like the one from Google, Amazon
> (to name companies) or <gasp> the entire RIPE root zone or another large
> one.
> 
> That tiny ANY? request will be around 56 bytes long, but your DNS server
> will reply with a large clunker of data. Which - if the source UDP
> address is spoofed - hits an innocent bystander right in the face.
> 
> If you turn recursion off, ANY? requests for zones your DNS server is
> not authoritative for will be rejected. So your DNS server can't be used
> to slap someone over the head with the RIPE zone.
> 
> However, your DNS server will still respond to ANY? requests that it is
> authoritative for. These are a lot smaller than root zone files and
> their immediate children. But they're still sufficiently larger than the
> initial UDP request that was sent to you.
> 
> So any DNS server that's not allowing recursion, but responds to
> query-requests can still be used as tool in a DDoS attack. This is no
> hypothetical scenario, as I see it on a daily basis.
> 
> There are a few remedies to this. You can throw iptables 'recent' at it,
> can modify fail2ban (or similar) to parse more verbose DNS logfiles for
> ANY requests, can use a DNS-proxy to filter out or limit ANY? requests
> and a few other improvisations.
> 
> However, they're all band aids. The fundamental problem is that design
> flaw in Bind. It's neither sensible nor wise to allow thousands of ANY?
> requests from the same source in a short amount of time.
> 
> So the rate-limit patch that was suggested needs to finally make it into
> Bind - ASAP. And/or upstream has to roll out the patched versions of
> Bind for this.
> 
> I'm contemplating of rolling a modified Bind out for BlueOnyx, which
> incorporates said patch. But I'm hoping that the Bind makers and
> upstream come to senses soon and just do what has to be done.
> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list