[dns-operations] Restrict ANY query to TCP ? Re: Why would an MTA issue an ANY query instead of an MX query?

Thomas Dupas thomas at dupas.be
Mon Jun 11 17:57:38 UTC 2012


Well, partly from what I see.
Posts from yesterday already mentioned that many sources are not spoofed for the actual query the nameserver sees.
If I look at our logs I see that most of the any queries come from north-america, not china. They use spoofed source ip's to reach the cpe, but the cpe queries towards the nameserver aren't spoofed.
Forcing any queries to tcp won't change that.

Ofcourse those CPE's shouldn't be open recursive resolvers, but there's little you can do about that on bind/nsd side.
Or am I missing something?
I don't see any spoofed/china ip's in my logs at least

Br,

Thomas

On 11 Jun 2012, at 19:46, Olafur Gudmundsson wrote:

> Paul,
> how about much simpler configuration option to force all
> any queries to be reissued over TCP,
> 	restrict-any-udp  "yes/no";
> 
> And have Bind reply with TC=1 and empty answer section on  ANY UDP queries.
> This is simple, no state needed, no firewall rules, and gets rid of 
> spoofed addresses.
> 
> 	Olafur
> 
> 
> On 10/06/2012 10:18, Paul Vixie wrote:
>> On 2012-06-10 10:29 AM, sthaug at nethelp.no wrote:
>>>> Clue appreciated, thanks!
>>> One word: qmail. Google "qmail dns any query".
>> 
>> thinking about or acting against ANY is bad infosec economics. any
>> investment along those lines is wasted, since ANY is merely the low
>> hanging fruit, and an attacker need only switch over to TXT or RRSIG or
>> NSEC to get a similar amplification effect from an authoritative name
>> server, if ANY were widely nonresponsive.
>> 
>> good infosec economics means the bad guy has a larger investment to make
>> in order to reach the next round than you had to make to exit the last
>> round.
>> 
>> to that end, vernon schryver and i have been exploring rate limiting in
>> BIND 9. there's a patch available, which i've so far offered only to
>> anyone whose server is currently getting abused. what i'm worried about
>> is that our profile for goodput-vs-badput is wrong headed or too course
>> grained. so far so good.
>> 
>> config {
>>     // ...
>>         rate-limit {
>>                 responses-per-second 5;
>>                 window 5;
>>         };
>> };
>> 
>> paul
>> 
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>> 
>> 
>> 
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs




More information about the dns-operations mailing list