[dns-operations] blocking recursers
jpv at veldersjes.net
Sat Mar 25 20:43:39 UTC 2006
> Date: Wed, 22 Mar 2006 19:27:28 -1000
> From: Randy Bush <randy at psg.com>
> Subject: [dns-operations] blocking recursers
> presume i serve significant, i.e. users will notice if i
> reject, zones.
are you serving zones as a "tier" 1 (root), 2 (tld) or 3 (rest) ? I'll
assume we'll be talking about "tier 3", cause my head would hurt way
too much if I'd extrapolate to tier 2 or even 1... ;D
> if i had a record of the recursive servers used to reflect
> an attack at my servers, would i be justified in blocking
> every-day queries from them until they tested recursion-
> free? (with lots of explanation and clue-pots, of course)
Blocking abusive traffic is something within your rights as a network
c.q. services owner, but very much dependant on other things like
service agreements, contracts etc. But in principle, yes. ;)
Blocking *possible* abusive traffic (or something with a very high
likelyhood of being unwanted, abusive etc) can also be justified, if
precautions are taken to prevent and mitigate false positives.
> same question if it is a list of recursers used to reflect
> an attack on someone else's servers.
If someone is a known criminal in .nl, why should you judge him as
someone with a completely clean slate in .de ? On the other hand, if
someone is a suspect, you should enquire a bit more, but not presume
him/her/it guilty upfront.
I have this feeling you're headed towards something ending with 'bl'.
> same question if it is a list of recursers not yet shown
> to be used in an attack. what have they done wrongly?
> have they not followed the standards, etc?
They can be abused, that's one side of the story... However, do you
know if it is provided in a "responsible" (aka monitored, tightly
controlled) or unresponsible manner ?
If you compare to the whole Open Relay thing, one can argue that there
are sufficient "authentication" techniques available (for both clients
and servers!) that would not necessitate having to run an Open Relay,
and ofcourse webmail. For nameservers there don't really exist any
widely usable deployed options.
> do i have the right to test random hosts for recursive
> service? is this unwarranted search/probing not an attack
Hm... Are you perhaps thinking of an ORDB/ORBS type of dnsbl for
nameservers (oh, the irony ! ;D) ? When looking at how some ISP's
check for Open Relays, I'd say I would like to see ISP's scan their
customers for ORN's, warn them, take action, et cetera.
But just like with SMTP, you will probably need to have some way of
nailing irresponsible ISP's or parties to a scaffold somewhere in
order to get them to budge and actually do something "in the interest
of the Internet"... :(
> do i have the right to test for recursive service hosts
> which send legitimate queries to my servers? "hey, you
> contacted me!"
Well, I'm not sure. But, having port 53 open, and something listening,
would at least entail that you want to serve something (aka, you have
software running, it doesn't necessarily mean you knowingly want it to
respond though). Heck, it's comparable to a webserver and HTTP/1.0+
VHosting. If the "Host:" header isn't hosted there, you're webserver
will just shrug it off, or it can give you the default page...
A nameserver has some extra options, "go away", "go ask aunty
InterNIC" or "hang on dear, I'll ask for you".
It's a fact of having something on a live IP link that it will
receive traffic or requests you do not wish to serve... So from a
receiving perspective I'd not be to insulted. But when looking at
doing something systematically, well, if they're contacting you then I
guess you can more or less justify testing them for ORN-cooties.
Doing this as a massive scan (like ORDB, SORBS, etc) however is
something I have reservations about. Such a setup would have to scan
on a regular basis, and it's just too much akin to what the miscreants
But to compare to the SMTP realm, a lot of mailservers will do ident's
back to a connecting SMTP source, others will do (weird) SMTP callout
verification (I have reservations about it), et cetera...
But, perhaps you could share some insights as to why you're asking ? ;)
PS: looking at this from Academia, I'm interested to see if a small
study could be done to just get an idea of really how widespread
ORN's are when looking at their distribution over setups, OS's,
locations etc. Determining their "cause", so to speak, might give
us extra tools to "fight" them.
More information about the dns-operations