[162046] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Joe Abley)
Mon Apr 1 14:42:30 2013
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <1452969.462.1364840356835.JavaMail.root@benjamin.baylink.com>
Date: Mon, 1 Apr 2013 14:33:57 -0400
To: Jay Ashworth <jra@baylink.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2013-04-01, at 14:19, Jay Ashworth <jra@baylink.com> wrote:
>> From: "Roland Dobbins" <rdobbins@arbor.net>
>=20
>> On Apr 1, 2013, at 11:18 PM, Patrick W. Gilmore wrote:
>>> Of course, since users shouldn't be using off-net name servers
>>> anyway, this isn't really a problem! :)
>>=20
>> ;>
>>=20
>> It's easy enough to construct ACLs to restrict the broadband consumer
>> access networks from doing so. Additional egress filtering would =
catch
>> any reflected attacks, per your previous comments.
>=20
> So, how would Patrick's caveat affect me, whose recursive resolver *is=20=
> on my Linux laptop*? Would not that recursor be making queries he=20
> advocates blocking?
The badness that Patrick is talking about blocking are DNS responses =
being sent from consumer devices to the Internet, answering DNS queries =
being sent from the Internet towards consumer devices. (I think. This =
thread is sufficiently circular that I feel a bit dizzy, and could be =
mistaken.) The DNS traffic outbound from your laptop will be DNS queries =
(not responses) and the inbound traffic will be DNS responses (not =
queries). The traffic profiles are different.
The case where infected consumer devices originate source-spoofed =
queries towards open resolvers, feeding a query stream to an amplifier =
for delivery to a victim, is mitigated by preventing those consumer =
devices from spoofing their source address, so BCP38.
The case where infected consumer devices originate non-source-spoofed =
queries towards DNS servers in order to overwhelm the servers themselves =
with perfectly legitimate-looking queries is a harder problem to solve =
at the edge, and is most easily mitigated for DNS server operators by =
the approach "ensure great headroom".
Joe
