[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Shane Kerr shane at time-travellers.org
Mon Sep 5 05:56:41 UTC 2016 

Roland,

At 2016-09-04 00:07:24 +0700
Roland Dobbins <rdobbins at arbor.net> wrote:

> On 3 Sep 2016, at 23:30, Shane Kerr wrote:
> 
> > Setting "minimal-responses" in BIND 9's named.conf should fix this.  
> 
> Paul's real point is that just about any (heh) DNS record can be used 
> for some degree of reflection/amplification.
> 
> A corollary is that most reflection/amplification attacks - in point of 
> fact, most DDoS attacks in general - are gratuitous examples of 
> overkill.  1:1 reflection alone would meet the obfuscatory needs of most 
> attackers and still get the job done conformant to requirements.

For the record, I know what Paul's point was supposed to be, and I
understand how reflection and amplification attacks work in UDP in
general and DNS in particular.

I replied to Paul as I did because his particular example did not
actually support his point. His example merely shows that a DNS
administrator can easily configure his server to provide larger
responses than necessary or useful. (In this case by using the BIND 9
defaults.)

As to Paul's actual point, I see the the progression like this:

* DNS Operator discovers their authoritative servers are being used for
  amplification attacks with ANY.

* DNS Operator blocks ANY queries (perhaps using a slightly more
  sophisticated technique like PowerDNS's truncate-all-ANY replies).

* Happy networking ensues.

* DNS Operator does the friendly thing, and tells other operators that
  they have had good luck with blocking ANY queries.

* DNS Gurus point out that there are many other ways that an attacker
  can achieve similar results.

* DNS Operator shrugs and says, "okay, it works for me though".

* DNS Gurus become enraged.

It's that very last step that confuses me.

Operators have pointed out many times that blocking ANY seems to help
them in practice. DNS folks have pointed out many times that this is
not a good defense because there are other ways to achieve
amplification. For a scientist it's an interesting question why blocking
ANY seems to help even though it is straightforward to get large
responses via other means. For an engineer it is less important - do
what works, especially if it is cheap & easy with no drawbacks. :)

I mean, an attacker can defeat RRL as well, but I don't see repeated
attempts to convince people not to use RRL.

Cheers,

--
Shane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160905/052ab565/attachment.sig>

More information about the dns-operations mailing list