[dns-operations] Configurable TC=1?
jared at puck.nether.net
Tue Dec 22 00:14:35 UTC 2015
On Mon, Dec 21, 2015 at 02:36:26PM -0800, Paul Vixie wrote:
> On Monday, December 21, 2015 03:56:44 PM Jared Mauch wrote:
> > RRL is closer to the 'right' solution, but
> > you could likely do something in this part of the BIND
> > codebase:
> > http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch
> when planning defense, it's best to think at least one step ahead. so, before you invest in a
> point solution such as redirecting qtype=ANY to TCP, i suggest figuring out what the bad guys
> will do as their response. if what they can do is cheap for them and expensive for you, then it
> may be a fool's errand to invest in that point solution.
As a common fool, this patch is something from "a long time ago"
but does provide where someone might implement some further work. There
were some suggestions I had into the RRL process that were not undertaken
as work that would have made it more robust. I'm a good one-off hacker
for this stuff, and as anyone knowledgeable about qtype=255 knows the
behavior is anything but deterministic as similar to tcp/53 it was not
written with a MUST. You can see the attempts to make ANY go away
at the IETF here:
> the TXT response for nether.net is 306 octets. that's 5X amplification factor (BPS), which is
> relatively common since there is an SPF RR there. qtype=ANY is not required for a successful
> amplification attack against that authority server, so if it stops working, i would expect the
> bad guys to simply "adapt".
Yup. Thankfully this is neither my first rodeo nor yours. There's a lot
that happens if you look for the google-site-verification txt record which is very
common and not often removed.
> adapting to DNS RRL is not impossible, but it is at least marginally harder than switching to a
> non-DNS attack vector, so, it's good enough for now while we figure out the right way to
> incentivize more BCP38 deployment.
Changing amplification to pure reflection (1:1) is helpful in many regards
and DNS is actually one of the better UDP based protocols.
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the dns-operations