From: Fabian W. <fa...@we...> - 2012-07-24 07:38:15
|
Hello Yaroslav On 24.07.2012 00:57, Yaroslav Halchenko wrote: > just for the sake of my own education: am I not correct that use of > DNSSEC practically implies use of TCP due to large packet sizes, thus > actually an additional difficulty of spoofing, thus such an attack would > be actually more difficult to accomplish... ? I do not know such details about DNSSEC, but without DNSSEC the DNS server does use TCP, if the answer is to large for one packet (1500 bytes including IP headers). In this case the server ask the resolver back through UDP to redo the request through TCP. But currently there are to many possible requests through UDP with just a small request, e.g. for ANY, which usually gives in proportion a much larger (but less then 1500 byte) answer. About 3 years ago there was an attack with IN NS requests for the . (root) zone, which BIND has answered, even when it was not configured for recursion from the outside world. In this case the request is very small, but the answer is quite large (but still fits into one packet) with all the hostnames and IP addresses for the root nameserver from a to m. If requests with a faked source IP address would be done from many systems (a bot net) to a lot of non-involved DNS server, then the attacked IP address will get a lot more data traffic with the answers from all this non-involved DNS server. So it is a good idea to detect such abuse and block it, so your DNS server will not be part of this attack. It is very sad, that many ISPs do not implement best practice and only allow outbound traffic with source IP address from their own and customer IP ranges. If they would do it, such attacks would not be possible, or at least limited to the same ISP. BIND does not have any kind of rate limiting, but probably this is for good, as a lot of things will break when a DNS server does not answer the requests from legitimate clients. The only thing which safely could be blocked are DNS requests for IN ANY (use a reasonable maxretry and short findtime), as there is no technical reason for such requests. As far as I know, this are only manual request done from humans to debug a domain. Also blocking request for domains, for which your DNS server is not authoritative, is safe to do. Use it also with a reasonable maxretry and short findtime so that at least a few NX answers can get back. bye Fabian |