[dns-operations] Recently closed open resolver and reflection attacks

Wed Mar 6 17:02:11 UTC 2013

On 2013-03-06, at 11:36, WBrown at e1b.org wrote:

> I recently help close down an open recursive resolver.  It is still 
> getting a lot of queries for isc.org/ANY which get a refused response 
> (unless slipped/dropped by RRL).  Granted, this doesn't amplify the attack 
> since REFUSED is a fairly small packet, but it is still traffic to the 
> attacked site.

I believe the current advice is not to use RRL on recursive servers. You might want to check that you're not unintentionally denying service to legitimate clients. Simply restricting access to a known community of clients is the more usual precaution (i.e. making it not be an open recursive server, as you've done).

> Given that no properly configured server should be querying this recursive 
> name server for isc.org, why should it respond with anything?  Why not 
> just drop the packet for any recursive request if it is not going to 
> answer it.

Replying with REFUSED provides the client with the opportunity not to re-query. Dropping the request on the floor leaves the client in the dark, and might well lead it to retry. This assumes legitimate client behaviour. Malware is in the business of sending repeated packets, of course.

I am certainly aware of people who use stateless filters on routers in front of recursive DNS servers that simply block requests from non-clients. The people I'm thinking of do this because in their environment it's easier to maintain that block list on the router than it is on the nameserver. I don't think this is a necessarily harmful approach.

> I supposed in the good old days, it was polite to say, "Sorry, 
> I can't answer that."  We also used to accept unsolicited commercial 
> emails.  The RFCs state we should either reject during SMTP or if we 
> accept a message, we should either deliver or generate a delivery failure. 
> Now we filter and drop spam on the floor.

Inbound (non-submission) SMTP servers and recursive DNS servers are different. With SMTP servers you cannot enumerate a list of legitimate clients; the point of e-mail is to attract inbound messages from the whole Internet. With recursive DNS servers you know exactly who your client base is.

I actually quite dislike the habit of silently discarding e-mail because it looks like spam, because false positives are annoying. Bounces are better from the perspective of someone who sent an e-mail that was mis-filed as spam.

However, if an inbound DNS query directed at a recursive server is from a non-legitimate source (and we can tell, because legitimate sources are all on our network and we can drop spoofed legitimate queries at our border), I think it's far more appropriate to silently drop it.

Joe