[dns-operations] blocking recursers

JP Velders jpv at veldersjes.net
Sat Mar 25 20:43:39 UTC 2006 

> Date: Wed, 22 Mar 2006 19:27:28 -1000
> From: Randy Bush <randy at psg.com>
> Subject: [dns-operations] blocking recursers

> presume i serve significant, i.e. users will notice if i
> reject, zones.

are you serving zones as a "tier" 1 (root), 2 (tld) or 3 (rest) ? I'll 
assume we'll be talking about "tier 3", cause my head would hurt way 
too much if I'd extrapolate to tier 2 or even 1... ;D

> if i had a record of the recursive servers used to reflect
> an attack at my servers, would i be justified in blocking
> every-day queries from them until they tested recursion-
> free?  (with lots of explanation and clue-pots, of course)

Blocking abusive traffic is something within your rights as a network 
c.q. services owner, but very much dependant on other things like 
service agreements, contracts etc. But in principle, yes. ;)

Blocking *possible* abusive traffic (or something with a very high 
likelyhood of being unwanted, abusive etc) can also be justified, if 
precautions are taken to prevent and mitigate false positives.

> same question if it is a list of recursers used to reflect
> an attack on someone else's servers.

If someone is a known criminal in .nl, why should you judge him as 
someone with a completely clean slate in .de ? On the other hand, if 
someone is a suspect, you should enquire a bit more, but not presume 
him/her/it guilty upfront.

I have this feeling you're headed towards something ending with 'bl'.

> same question if it is a list of recursers not yet shown
> to be used in an attack.  what have they done wrongly?
> have they not followed the standards, etc?

They can be abused, that's one side of the story... However, do you 
know if it is provided in a "responsible" (aka monitored, tightly 
controlled) or unresponsible manner ?

If you compare to the whole Open Relay thing, one can argue that there 
are sufficient "authentication" techniques available (for both clients 
and servers!) that would not necessitate having to run an Open Relay, 
and ofcourse webmail. For nameservers there don't really exist any 
widely usable deployed options.

> do i have the right to test random hosts for recursive
> service?  is this unwarranted search/probing not an attack
> itself?

Hm... Are you perhaps thinking of an ORDB/ORBS type of dnsbl for 
nameservers (oh, the irony ! ;D) ? When looking at how some ISP's 
check for Open Relays, I'd say I would like to see ISP's scan their 
customers for ORN's, warn them, take action, et cetera.

But just like with SMTP, you will probably need to have some way of 
nailing irresponsible ISP's or parties to a scaffold somewhere in 
order to get them to budge and actually do something "in the interest 
of the Internet"... :(

> do i have the right to test for recursive service hosts
> which send legitimate queries to my servers?  "hey, you
> contacted me!"

Well, I'm not sure. But, having port 53 open, and something listening, 
would at least entail that you want to serve something (aka, you have 
software running, it doesn't necessarily mean you knowingly want it to 
respond though). Heck, it's comparable to a webserver and HTTP/1.0+ 
VHosting. If the "Host:" header isn't hosted there, you're webserver 
will just shrug it off, or it can give you the default page...

A nameserver has some extra options, "go away", "go ask aunty 
InterNIC" or "hang on dear, I'll ask for you".

It's a fact of having something on a live IP link that it will 
receive traffic or requests you do not wish to serve... So from a 
receiving perspective I'd not be to insulted. But when looking at 
doing something systematically, well, if they're contacting you then I 
guess you can more or less justify testing them for ORN-cooties.

Doing this as a massive scan (like ORDB, SORBS, etc) however is 
something I have reservations about. Such a setup would have to scan 
on a regular basis, and it's just too much akin to what the miscreants 
are doing.

But to compare to the SMTP realm, a lot of mailservers will do ident's 
back to a connecting SMTP source, others will do (weird) SMTP callout 
verification (I have reservations about it), et cetera...

But, perhaps you could share some insights as to why you're asking ? ;)

> randy

Kind regards,
JP Velders

PS: looking at this from Academia, I'm interested to see if a small 
    study could be done to just get an idea of really how widespread 
    ORN's are when looking at their distribution over setups, OS's, 
    locations etc. Determining their "cause", so to speak, might give 
    us extra tools to "fight" them.

More information about the dns-operations mailing list