[dns-operations] Restrict ANY query to TCP ? Re: Why would an MTA issue an ANY query instead of an MX query?

Olafur Gudmundsson ogud at ogud.com
Mon Jun 11 17:46:57 UTC 2012


Paul,
how about much simpler configuration option to force all
any queries to be reissued over TCP,
	restrict-any-udp  "yes/no";

And have Bind reply with TC=1 and empty answer section on  ANY UDP queries.
This is simple, no state needed, no firewall rules, and gets rid of 
spoofed addresses.

	Olafur


On 10/06/2012 10:18, Paul Vixie wrote:
> On 2012-06-10 10:29 AM, sthaug at nethelp.no wrote:
>>> Clue appreciated, thanks!
>> One word: qmail. Google "qmail dns any query".
>
> thinking about or acting against ANY is bad infosec economics. any
> investment along those lines is wasted, since ANY is merely the low
> hanging fruit, and an attacker need only switch over to TXT or RRSIG or
> NSEC to get a similar amplification effect from an authoritative name
> server, if ANY were widely nonresponsive.
>
> good infosec economics means the bad guy has a larger investment to make
> in order to reach the next round than you had to make to exit the last
> round.
>
> to that end, vernon schryver and i have been exploring rate limiting in
> BIND 9. there's a patch available, which i've so far offered only to
> anyone whose server is currently getting abused. what i'm worried about
> is that our profile for goodput-vs-badput is wrong headed or too course
> grained. so far so good.
>
> config {
>      // ...
>          rate-limit {
>                  responses-per-second 5;
>                  window 5;
>          };
> };
>
> paul
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
>
>





More information about the dns-operations mailing list