[dns-operations] DNS deluge for x.p.ctrc.cc

Joe Greco jgreco at ns.sol.net
Mon Feb 27 21:45:36 UTC 2006


> > > On Mon, Feb 27, 2006 at 12:20:28AM +0000, Paul Vixie wrote:
> > > > # What other applications using larger packets would it break?
> > > > 
> > > > responses containing AAAA RR's are one example.  RFC 2671 was not written
> > > > pointlessly, or at least i hope (as its author) that it wasn't pointless.
> > > 
> > > What about query size limit.  At least for servers, or any host for
> > > that matter, that would never receive DNS answers itself (e.g. in the
> > > case of an authoritative only server), would limiting packets to 512
> > > filter something potentially legitimate?
> > > 
> > > I realize this doesn't particularly help most victims in the wave of
> > > attacks being discussed here, there have been attacks that shower 4KB
> > > answers at hosts that should never be getting those answers.
> > > 
> > > Yes, I realize filtering at this granular level this is just a
> > > band-aid.  Just curious in understanding what limitations there might
> > > be on questions.
> > 
> > And, from the answer side of things, it is kind of too bad that there is
> > no way for a client to signal back "I didn't ask you that question", or
> > for a recursing nameserver to do something useful with a port unreach,
> > etc.
> 
> 	It's UDP.  You get "port unreach" in normal operations.

And then...?  Proceed to do nothing useful with it.  That was the point
of my remark.

It would be somewhat difficult to do something useful with it in any case;
blindly trusting it could open a channel for a DoS attack against the
nameserver.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.



More information about the dns-operations mailing list