[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Jared Mauch jared at puck.nether.net
Tue Sep 6 11:49:36 UTC 2016


> On Sep 5, 2016, at 11:39 AM, Jim Reid <jim at rfc1035.com> wrote:
> 
> 
>> On 5 Sep 2016, at 15:47, Damian Menscher <damian at google.com> wrote:
>> 
>> 1) Bypassing ANY is trivial for the attacker, as they can switch to TXT or any other record.
> 
> Not quite. An attacker can of course easily switch from ANY queries to whatever qtype they choose. This probably won't produce as big a bang for their buck because the response payload for that qtype is unlikely to be as chunky as an ANY response. Or they might only get a NOHOST or NXDOMAIN if there’s no TXT (say) record for the qname.
> 
> 
> Just FYI, here are the response sizes for queries to the root for a random selection of qtypes:
> 
> ANY	2047
> NS	783
> SOA	640
> DNSKEY	450
> RRSIG	1471
> TXT	103 (NOHOST)
> MX	103 (NOHOST)

Related garbage for zones I host by QTYPE:

num.type.TYPE0=246
num.type.A=228043234
num.type.NS=6068871
num.type.MD=0
num.type.MF=0
num.type.CNAME=1018305
num.type.SOA=2114100
num.type.MB=0
num.type.MG=0
num.type.MR=0
num.type.NULL=221
num.type.WKS=0
num.type.PTR=14110262
num.type.HINFO=695
num.type.MINFO=0
num.type.MX=17812715
num.type.TXT=4433700
num.type.RP=7
num.type.AFSDB=4843
num.type.X25=283
num.type.ISDN=0
num.type.RT=0
num.type.NSAP=0
num.type.SIG=0
num.type.KEY=0
num.type.PX=0
num.type.AAAA=164998849
num.type.LOC=1393
num.type.NXT=995
num.type.TYPE31=574
num.type.SRV=3269391
num.type.NAPTR=37329
num.type.KX=0
num.type.CERT=21
num.type.TYPE38=174387
num.type.DNAME=35
num.type.OPT=0
num.type.APL=0
num.type.DS=474220
num.type.SSHFP=2584
num.type.IPSECKEY=1
num.type.RRSIG=3210
num.type.NSEC=11544
num.type.DNSKEY=4330700
num.type.DHCID=0
num.type.NSEC3=35
num.type.NSEC3PARAM=2806
num.type.TLSA=48846
num.type.CDS=0
num.type.CDNSKEY=0
num.type.CSYNC=0
num.type.SPF=1588977
num.type.TYPE103=39
num.type.NID=0
num.type.L32=0
num.type.L64=0
num.type.LP=0
num.type.EUI48=0
num.type.EUI64=0
num.type.TYPE251=2280
num.type.TYPE252=5971
num.type.TYPE255=1736863






More information about the dns-operations mailing list