[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Mon Sep 5 18:34:07 UTC 2016

On 9/4/2016 10:56 PM, Shane Kerr wrote:
> Roland,
>
> At 2016-09-04 00:07:24 +0700
> Roland Dobbins <rdobbins at arbor.net> wrote:
>
>> On 3 Sep 2016, at 23:30, Shane Kerr wrote:
>>
>>> Setting "minimal-responses" in BIND 9's named.conf should fix this.
>>
>> Paul's real point is that just about any (heh) DNS record can be used
>> for some degree of reflection/amplification.
>>
>> A corollary is that most reflection/amplification attacks - in point of
>> fact, most DDoS attacks in general - are gratuitous examples of
>> overkill.  1:1 reflection alone would meet the obfuscatory needs of most
>> attackers and still get the job done conformant to requirements.
>
> For the record, I know what Paul's point was supposed to be,

I'm not sure you do. :)  I think it was, "Blocking individual records is 
silly, use RRL instead."  Is that what you got?

[snip]

> As to Paul's actual point, I see the the progression like this:
>
> * DNS Operator discovers their authoritative servers are being used for
>   amplification attacks with ANY.

* DNS Operator fails to do any research on appropriate solutions to the 
problem, and acts in ignorance.

> * DNS Operator blocks ANY queries (perhaps using a slightly more
>   sophisticated technique like PowerDNS's truncate-all-ANY replies).
>
> * Happy networking ensues.

* Bad actors switch to using different QTYPE(s), and DNS Operator's 
servers are used as a reflection source.

> * DNS Operator does the friendly thing,

^W^W^W^W passes along their ignorant, ineffective "solution"

> * DNS Gurus point out that there are many other ways that an attacker
>   can achieve similar results.

... and that not only is blocking individual QTYPEs not likely to work, 
it may break something for the zones that they are responsible for. Also 
that passing along configuration advice to other operators when you 
neither understand the problem nor the solution makes things worse 
instead of better.

> * DNS Operator shrugs and says, "okay, it works for me though".
>
> * DNS Gurus become enraged.
>
> It's that very last step that confuses me.

Hopefully now it's less confusing for you. :)

> Operators have pointed out many times that blocking ANY seems to help
> them in practice. DNS folks have pointed out many times that this is
> not a good defense because there are other ways to achieve
> amplification. For a scientist it's an interesting question why blocking
> ANY seems to help even though it is straightforward to get large
> responses via other means.

Because not all script kiddies are smart enough to change QTYPEs 
*today*, but they will be tomorrow. They pass along helpful advice to 
each other too.

> For an engineer it is less important - do
> what works, especially if it is cheap & easy with no drawbacks. :)

Disabling parts of the protocol always has drawbacks, whether they are 
obvious brokenness today, or inability to innovate tomorrow because a 
defined part of the protocol is no longer supported in practice.

> I mean, an attacker can defeat RRL as well, but I don't see repeated
> attempts to convince people not to use RRL.

Sure, but to do so is dramatically more difficult than s/ANY/SOA/. 
Please see my response to Damian on plugging as many holes as possible 
because no one hole is the complete solution to the problem.

Doug