[dns-operations] dns response rate limiting (DNS RRL) patch available for testing

Paul Vixie paul at redbarn.org
Mon Jun 18 14:00:27 UTC 2012


On 2012-06-18 9:49 AM, Stephane Bortzmeyer wrote:
> On Tue, Jun 12, 2012 at 08:15:00PM +0000,
>  Paul Vixie <paul at redbarn.org> wrote 
>  a message of 21 lines which said:
>
>> [recursive servers are] a separate problem, and most of the time the
>> fix is to add an ACL to deny off-net or off-campus query traffic.
>
> If you don't do ingress filtering, it still allows people to attack
> your users (they can send from the outside a "ANY ripe.net" query
> claiming to be from a local machine).

if you want to resist spoofed-source attacks, there's a suite of
necessary countermeasures, one of which is to lock down every UDP app
you have to make sure they are either only available within your own
network (so, an ACL) or are rate limited (as the DNS RRL patch for
BIND9(*) seems able to do, but as google dns and opendns also do.)

importantly, you must also drop any packet whose source address isn't
correct for the input interface. this means (as above) dropping packets
from outside your network which purport to be from inside your network;
more commonly it means dropping packets from inside your network which
purport to be from outside your network. this is covered in BCP38 and
BCP84(*) and to a lesser extent SAC004(*).

paul

(*)    http://www.redbarn.org/dns/ratelimits
       http://tools.ietf.org/html/bcp38
       http://tools.ietf.org/html/bcp84
       http://archive.icann.org/en/committees/security/sac004.txt




More information about the dns-operations mailing list