[dns-operations] DNS deluge for x.p.ctrc.cc
Mark Andrews
Mark_Andrews at isc.org
Mon Feb 27 22:48:52 UTC 2006
> > > > On Mon, Feb 27, 2006 at 12:20:28AM +0000, Paul Vixie wrote:
> > > > > # What other applications using larger packets would it break?
> > > > >
> > > > > responses containing AAAA RR's are one example. RFC 2671 was not wri
> tten
> > > > > pointlessly, or at least i hope (as its author) that it wasn't pointl
> ess.
> > > >
> > > > What about query size limit. At least for servers, or any host for
> > > > that matter, that would never receive DNS answers itself (e.g. in the
> > > > case of an authoritative only server), would limiting packets to 512
> > > > filter something potentially legitimate?
> > > >
> > > > I realize this doesn't particularly help most victims in the wave of
> > > > attacks being discussed here, there have been attacks that shower 4KB
> > > > answers at hosts that should never be getting those answers.
> > > >
> > > > Yes, I realize filtering at this granular level this is just a
> > > > band-aid. Just curious in understanding what limitations there might
> > > > be on questions.
> > >
> > > And, from the answer side of things, it is kind of too bad that there is
> > > no way for a client to signal back "I didn't ask you that question", or
> > > for a recursing nameserver to do something useful with a port unreach,
> > > etc.
> >
> > It's UDP. You get "port unreach" in normal operations.
>
> And then...? Proceed to do nothing useful with it. That was the point
> of my remark.
In normal operations "port unreach" just means the stub
resolver has closed the socket. Yes ignoring port unreachable
is the correct thing to do if it involves the socket you
are accepting queries on.
It's a whole different matter with port unreach directed
at the socket you are making queries on. That means the
nameserver you are talking to is not running or access
is blocked.
> It would be somewhat difficult to do something useful with it in any case;
> blindly trusting it could open a channel for a DoS attack against the
> nameserver.
>
> ... JG
> --
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CN
> N)
> With 24 million small businesses in the US alone, that's way too many apples.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list