[162035] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Brian Dickson)
Mon Apr 1 12:42:27 2013
Date: Mon, 1 Apr 2013 12:42:13 -0400
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
For filtering to/from "client-only" networks, here's the filtering rules
(in pseudo-code, convert to appropriate code for whatever devices you
operate), for DNS.
The objective here is:
- prevent spoofed-source DNS reflection attacks from your customers, from
leaving your network
- prevent your customers' open DNS servers (regardless of what they are)
from being used in reflection attacks
- permit normal DNS usage by clients, regardless of whether they are
talking to an external DNS resolver, or doing their own local resolution
(e.g. local DNS resolver on a host, or SOHO router)
from client:
permit source=client-subnet dest=any port=53 proto=TCP (TCP only works if
reaches "established", i.e. spoofing is irrelevant, but we stop spoofed SYN
here)
permit source=client-subnet dest=any port=53 proto=UDP QR=0 (first/highest
bit of 3rd octet of DNS packet payload of UDP)
deny port=53 (regardless of source/dest - either spoofed source, or QR=1,
if reached this rule)
to client:
permit dest=any source=any port=53 proto=TCP
permit dest=any source=any port=53 QR=1 (first/highest bit of 3rd octet of
DNS packet payload of UDP)
deny port=53 proto=UDP (QR=0 which is what we want to avoid)
(We don't have to check dest==client-subnet, since routing handles this
requirement)
If you have "eyeball" networks, please apply liberally.
Brian
