[dns-operations] EDNS vs DDOS scrubbing - was Re: Nice to see Amazon Route 53 remove the EDNS(1) filters for *.co.uk.

Mark Andrews marka at isc.org
Thu May 28 02:03:59 UTC 2015


In message <AD0F3C7E-72D4-4786-AF6C-1BF9CBAF833D at hopcount.ca>, "Joe Abley" writ
es:
> On 27 May 2015, at 13:00, Mark Andrews wrote:
> 
> > No. Just "different query - must be bad".  "Different query - don't
> > know what to do -> drop" from firewall vendors.
> 
> For an enterprise, given that there's no defined use, format (and 
> therefore need) for EDNS(1), if your security posture is "default deny, 
> accept what we know we need" then dropping DNS messages with EDNS(1) 
> seems like exactly the right thing to do, doesn't it?

TLD operators are there to provide a service to the public and to
the delegated zone.  Part of that service is a expectation that
they will properly implement the protocol.

Or you can educate firewall vendors that it really does hurt their
customers when you block extension mechanisms.  It makes life hard
for their customer's customers.  Nameservers do handle the extensions
even if not always correctly (formerr rather than ignore or ignore
rather than badvers depending upon the extension) so it is most a
case of blocking just because they can rather than because it is
protecting anything.  Nameservers don't fallover these days, 20
years ago some did.

> I understand the point that this posture makes future development and 
> deployment of EDNS(1) hard. I understand why that's a pain for protocol 
> development in the DNS. You don't have to explain either of those things 
> to me. (Just saying.)
> 
> But it's not like anybody is going to succeed in getting an enterprise 
> or their firewall vendor to say yes when the request they are hearing is 
> "can you please open up this hole for an experimental protocol that 
> nobody apart from me knows anything about, so that I can play with it".

No.  It's tell me nicely that you don't support the extension.
Dropping packets is just plain anti-social and always has been.

A firewall can generate a BADVERS response, just like it can generate
a TCP RST.  You don't have to break the protocol, you can co-operate
with the protocol.

> Remember, these are the people that think ICMP is a security risk.
> 
> 
> Joe
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list