[167435] in North American Network Operators' Group
Re: Best practice on TCP replies for ANY queries
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Dec 11 14:36:33 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CALo9H1abJY0_G6YPGkhF6KWtLhBTpDxmOM++GvDGvA_UhG=Agg@mail.gmail.com>
Date: Wed, 11 Dec 2013 14:26:22 -0500
To: Arturo Servin <arturo.servin@gmail.com>
Cc: NANOG Mailing List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
dns-operations list is likely best suited for this question, but...
If using BIND 9.9.4 you can set the system to use TCP for repeated =
queries to prevent spoofed ones from being replied to (ie: use yourself =
as an amplifier).
There's lists of domains published that are used in abuse, eg:
https://twitter.com/DnsSmurf
http://dnsamplificationattacks.blogspot.nl/
=
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blac=
klist.txt
You should restrict your DNS server (as much as possible) to only =
respond to your customer base.
If you are using microsoft dns, STOP. It has no way to restrict the =
clients it replies to queries for. Set up real software to forward to =
it which does the filtering and scoping for your space.
NSD and others also have the ability to configure rate-limiting, knowing =
what software you are using is an important key here for proper =
recommendations and guide pointers.
Good luck,
- jared
On Dec 11, 2013, at 2:17 PM, Arturo Servin <arturo.servin@gmail.com> =
wrote:
> I think is better idea to rate-limit your responses rather than
> limiting the size of them.
>=20
> AFAIK, bind has a way to do it.
>=20
> .as
>=20
>=20
> On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia <me@anuragbhatia.com> =
wrote:
>> Hi ML
>>=20
>>=20
>>=20
>> Yeah I can understand. Even DNSSEC will have issues with it which =
makes me
>> worry about rule even today.
>>=20
>>=20
>> On Wed, Dec 11, 2013 at 11:49 PM, ML <ml@kenweb.org> wrote:
>>=20
>>> On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
>>>>=20
>>>> I am sure I am not first person experiencing this issue. Curious to =
hear
>>>> how you are managing it. Also under what circumstances I can get a
>>>> legitimate TCP query on port 53 whose reply exceeds a basic limit =
of less
>>>> then 1000 bytes?
>>>>=20
>>>>=20
>>>>=20
>>>=20
>>> I'm not a DNS guru so I don't have an exact answer. However my gut
>>> feeling is that putting in a place a rule to drop or rate limit DNS
>>> replies greater than X bytes is probably going to come back to bite =
you
>>> in the future.
>>>=20
>>> No one can predict the future of what will constitute legitimate DNS
>>> traffic.
>>>=20
>>>=20
>>=20
>>=20
>> --
>>=20
>>=20
>> Anurag Bhatia
>> anuragbhatia.com
>>=20
>> Linkedin <http://in.linkedin.com/in/anuragbhatia21> |
>> Twitter<https://twitter.com/anurag_bhatia>
>> Skype: anuragbhatia.com
