[dns-operations] Big reduction in the number of TLD zones blocking EDNS(1) queries

Mark Andrews marka at isc.org
Sun Aug 9 05:20:14 UTC 2015 

In message <CADb+6TBUHy8d=sAgPvGo0Yk-FkNzoXYWyiDD-pacZ3WfXyF7mA at mail.gmail.com>
, Joel Maslak writes:
> 
> I'll add one note here: if you're behind an overzealous firewall, these
> tests may tell you more about your firewall than your DNS servers.  I found
> this out the hard way doing some EDNS testing from behind a Juniper SRX (it
> also blocked large responses, unknown [to it] edns versions, etc).  It did
> the blocking in either direction through the device.

>From the outside it doesn't matter which bit of kit is broken.  For the
record firewalls and scrubbing services are covered in

https://tools.ietf.org/html/draft-andrews-dns-no-response-issue-08

Mark
 
> If someone else is behind one of these SRXes, and you want to turn it into
> more of a dumb packet filter as far as DNS:
> 
> set security alg dns disable
> 
> I didn't bother to see if different JunOS code handles EDNS and large DNS
> responses better.
> 
> Obviously if this ALG actually provides some sort of security, you've
> disabled it.  I'd be really interested to hear about what security
> vulnerabilities it actually blocks, at least if you aren't doing any
> content filtering.
> 
> 
> On Sat, Aug 8, 2015 at 2:18 PM, Mark Andrews <marka at isc.org> wrote:
> 
> >
> >         As of the 8th of August there was a big reduction in the
> >         number of TLD zones which filtered queries with unknown
> >         EDNS version or unknown EDNS flags.
> >
> >         While there is still work to do to improve EDNS compliance
> >         this is a big step forward.  Thank you.
> >
> >         https://ednscomp.isc.org/compliance/summary.html
> >
> >         As some of the operators involved also serve part of the
> >         Alexa top 1000, a visible step improvement has been seen
> >         there as well.
> >
> >         Mark
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE:  +61 2 9871 4742                         INTERNET: marka at isc.org
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > dns-jobs mailing list
> > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> >
> 
> --f46d04182698d3aa13051cd4672b
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> <div dir=3D"ltr">I'll add one note here: if you're behind an overze=
> alous firewall, these tests may tell you more about your firewall than your=
>  DNS servers.=C2=A0 I found this out the hard way doing some EDNS testing f=
> rom behind a Juniper SRX (it also blocked large responses, unknown [to it] =
> edns versions, etc).=C2=A0 It did the blocking in either direction through =
> the device.<div><br></div><div>If someone else is behind one of these SRXes=
> , and you want to turn it into more of a dumb packet filter as far as DNS:<=
> /div><div><br></div><div>set security alg dns disable</div><div><br></div><=
> div>I didn't bother to see if different JunOS code handles EDNS and lar=
> ge DNS responses better.</div><div><br></div><div>Obviously if this ALG act=
> ually provides some sort of security, you've disabled it.=C2=A0 I'd=
>  be really interested to hear about what security vulnerabilities it actual=
> ly blocks, at least if you aren't doing any content filtering.</div><di=
> v><br></div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote"=
> >On Sat, Aug 8, 2015 at 2:18 PM, Mark Andrews <span dir=3D"ltr"><<a href=
> =3D"mailto:marka at isc.org" target=3D"_blank">marka at isc.org</a>></span> wr=
> ote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border=
> -left:1px #ccc solid;padding-left:1ex"><br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 As of the 8th of August there was a big reducti=
> on in the<br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 number of TLD zones which filtered queries with=
>  unknown<br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 EDNS version or unknown EDNS flags.<br>
> <br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 While there is still work to do to improve EDNS=
>  compliance<br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 this is a big step forward.=C2=A0 Thank you.<br=
> >
> <br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"https://ednscomp.isc.org/compliance/=
> summary.html" rel=3D"noreferrer" target=3D"_blank">https://ednscomp.isc.org=
> /compliance/summary.html</a><br>
> <br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 As some of the operators involved also serve pa=
> rt of the<br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Alexa top 1000, a visible step improvement has =
> been seen<br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 there as well.<br>
> <span class=3D"HOEnZb"><font color=3D"#888888"><br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Mark<br>
> --<br>
> Mark Andrews, ISC<br>
> 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> PHONE:=C2=A0 <a href=3D"tel:%2B61%202%209871%204742" value=3D"+61298714742"=
> >+61 2 9871 4742</a>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0INTERNET: <a href=3D"mailto:marka at isc.or=
> g">marka at isc.org</a><br>
> _______________________________________________<br>
> dns-operations mailing list<br>
> <a href=3D"mailto:dns-operations at lists.dns-oarc.net">dns-operations at lists.d=
> ns-oarc.net</a><br>
> <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs" rel=3D"noreferrer" target=3D"_blank">https://lists.dns-oarc.net/m=
> ailman/listinfo/dns-operations<br>
> dns-jobs</a> mailing list<br>
> <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" rel=3D"nor=
> eferrer" target=3D"_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-=
> jobs</a><br>
> </font></span></blockquote></div><br></div>
> 
> --f46d04182698d3aa13051cd4672b--
> 
> --===============8157675275282489765==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> --===============8157675275282489765==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list