[dns-operations] Configurable TC=1?

Jared Mauch jared at puck.nether.net
Tue Dec 22 00:14:35 UTC 2015 

On Mon, Dec 21, 2015 at 02:36:26PM -0800, Paul Vixie wrote:
> On Monday, December 21, 2015 03:56:44 PM Jared Mauch wrote:
> > 
> > 	RRL is closer to the 'right' solution, but
> > you could likely do something in this part of the BIND
> > codebase:
> > 
> > http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch
> > 
> 
> when planning defense, it's best to think at least one step ahead. so, before you invest in a 
> point solution such as redirecting qtype=ANY to TCP, i suggest figuring out what the bad guys 
> will do as their response. if what they can do is cheap for them and expensive for you, then it 
> may be a fool's errand to invest in that point solution.

	As a common fool, this patch is something from "a long time ago"
but does provide where someone might implement some further work.  There
were some suggestions I had into the RRL process that were not undertaken
as work that would have made it more robust.  I'm a good one-off hacker
for this stuff, and as anyone knowledgeable about qtype=255 knows the
behavior is anything but deterministic as similar to tcp/53 it was not
written with a MUST.  You can see the attempts to make ANY go away
at the IETF here: 

https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any-00

> the TXT response for nether.net is 306 octets. that's 5X amplification factor (BPS), which is 
> relatively common since there is an SPF RR there. qtype=ANY is not required for a successful 
> amplification attack against that authority server, so if it stops working, i would expect the 
> bad guys to simply "adapt".

	Yup.  Thankfully this is neither my first rodeo nor yours.  There's a lot
that happens if you look for the google-site-verification txt record which is very
common and not often removed.

> adapting to DNS RRL is not impossible, but it is at least marginally harder than switching to a 
> non-DNS attack vector, so, it's good enough for now while we figure out the right way to 
> incentivize more BCP38 deployment.

	Changing amplification to pure reflection (1:1) is helpful in many regards
and DNS is actually one of the better UDP based protocols.

	- Jared


-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the dns-operations mailing list