[dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Vernon Schryver vjs at rhyolite.com
Sat Jun 23 23:07:27 UTC 2012

> From: Florian Weimer <fw at deneb.enyo.de>

> > Emergency patches against ANY to last for a day or two for lack of
> > other available tools can make good sense--for a day or so.  But
> > spending any long term effort on ANY queries in this context is the
> > same "thinking" that brought us SPF as the final ultimate solution
> > to the spam problem (FUSSP), because as we all "knew," spam requires
> > forged senders.
> But unlike spam, these attacks require spoofed source addresses.

Was I really that unclear?  Of course forged IP source addresses
are a critical part of DNS reflection DoS attacks, just as "bulk"
is a critical part of spam.  My point is that it is necessary to
pay attention to the necessary aspects of the problem and deal with
those instead of trivial efforts against the current wrapping paper.

>From the history of obvious bogus spam FUSSPs such as the many
variations of "email authentication" and the "prove mail sender is
a human" unsolicited bulk email (spam) sent to uninvolved third
parties, I predict that the next "solution" to DNS reflection attacks
after the current "disable AUTHORITY and ADDITIONAL sections" and
"disable ANY" will be "disable DNSSEC."

Solutions analogous to "know your customer before allowing outgoing
bulk connections to TCP port 25" such as "disable or restrict open
recursive DNS servers to known users" or even "install response rate
limiting DNS software" (not to mention BCP 38) are resisted as too
hard.  The saving grace is that the monetary rewards for allowing DNS
reflection attacks aren't as large as those for allowing unsolicited
bulk email.

> Perhaps it's time to admit defeat, call our legislators, and suggest
> that they mandate source address validation by service providers.

Speaking of easier non-solutions that would not only not solve the problem
but create worse problems ...

On the other hand, if service providers were liable for damages
caused by forged IP source addresses (or forged SMTP envelopes) ...

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list