[dns-operations] Force TCP for external quereis to Open Resolvers?

Sun Mar 31 18:42:19 UTC 2013

I want to emphasize here that my proposal is to use TCP only for off-net
users, for all users inside the same network as OR, they just keep using
UDP.

As I said before, if there are millions off-net user, then the
administrator of the OR will make the judgement, probably won't close their
OR.

] Vernon Schryver vjs at rhyolite.com
]
] If you could change the 21 million open resolvers and for crazy reasons
] wanted to keep them open, there are cheaper ways to make them useless
] for reflection attacks than the TC=1 hack.  But if you could change
] them, you would close them for simple hygene and so not care about
] DNS/TCP, T/TCP, DNS cookies, or anything else.

I never want to change 21 million open resolvers, nobody can. There are a
lot of unmaintatined ORs that
are out of our discussion, as they will remain open anyway.

What we discuss here is for those administrators who are willing to do
something to their OR. Look at what options they have
now:
1) keep open => DNS amp attackers are happy
2) close => no one can query from outside

What about those who want to leave it open yet not want to be utilized by
attackers?
Maybe you could say that they are mistaken, but this has nothing to do with
their OR, because whether or not to close the OR is decided by them, not
you and me. If we leave them no option, they may turn to keep open. If they
think turn to TCP for off-net have too much overhead, they could choose to
keep open using UDP or just close. The point is we should give them options.

I am happy to hear there are other simple solutions for those
administrators who "want to leave it open yet not want to be utilized by
attackers". The best would be just change configuration to their current
DNS server software, if not, the second best is apply some patch to only
the DNS server software. DNS cookies need changes in client software which
is harder.

On Sun, Mar 31, 2013 at 2:30 AM, Xun Fan <xunfan at isi.edu> wrote:

> Instead of closing the open resolvers, can we just force queries from
> external networks to use TCP? Say reply to queires from external
> networks with a short truncate UDP to signal querier to turn to TCP? This
> will help disable reflect amplification while leaving a door open for
> legitimate users of open resolvers. (I don't know if this idea has been
> discussed before, if so can anyone please give me a link to the discussion?
> Thanks!)
>
> I have been looking around on several mailing lists recently and saw many
> people vote for shutting down OR. The primary reason, AFAIK, is OR enable
> DNS reflect amplification attacks and the problem is getting more serious
> recently. No doubt that we have to solve this problem because someone is
> hurt and potentially many others.
>
> I saw several key words, BCP38, rate limiting and TCP. While BCP38 is the
> best solution, it takes time to be deployed. Rate limiting is coming but
> many people think it's better for authoritative name servers. What I want
> to discuss here is TCP. Someone says TCP is expensive, but if we could
> afford entirely shutting down external queries, then two more RTTs to get a
> response seems trivial.
>
> There are some posts, reasonable or not, stating some legitimate cases for
> open resolvers. And as a internet measurement researcher, I also find the
> value of open resolvers in some research projects that OR greatly extend
> our view to the Internet. I would like to find a way to solve the problem
> that we are facing now, while preserve the open resolvers for its good side.
>
> So do you think "force TCP for external queries to OR" is a feasible
> solution to DNS reflect amplification problem?
>
>
>
> Xun Fan
> USC/ISI
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130331/abc79773/attachment.html>