Hello. Your interpretation of what is occurring may be interfering with
your understanding of it.
On Fri, 3 Nov 2023, Amaury Van Pevenaeyge wrote:
[...] As part of my Master's thesis, I have to implement a DNS
amplification scenario within a Cyber Range. However, before achieving
this final goal, I first need to make amplification rate measurements
within a virtual machine system. I therefore have a few questions about
the DNS protocol and DNS servers.
* Why do some DNS servers respond via TCP to an ANY query made under
UDP? I have read in RFC8482 that modern DNS servers try to limit
responses to ANY queries in order to limit the impact of their use in
DNS amplification attack but I would like to learn more about the
security measures/best practices currently in place for this type of
query and for big TXT responses. Does anyone have any sources or
other RFCs that might be useful?
It is impossible for a DNS server to respond via TCP to a UDP query at a
networking level. In general there are two kinds of amplification, number
of packets (velocity) and size of packets (volume).
It seems you understand that it is only possible to present a source
address "on behalf of another" with UDP. This is incorrect. While TCP is a
mitigation for blind trust in the source address of a packet, TCP SYN
itself results in amplification (velocity) in the form of SYN/ACKs in the
default tuning of most network stacks.
When a DNS response via UDP is unable to be accommodated within the size
(volume) constraints dictated by path MTU two things can happen: 1) the
UDP response can be fragmented, resulting in multiple packets to be
reassembled; or 2) the server can indicate to the client to retry over TCP
(TC=1).
TC=1 is also used as an at least partial mitigation for (spoofed)
amplification traffic, as seen with response rate limiting.
The typical resolver doesn't retry over TCP at all if it doesn't
receive a (UDP) response with TC=1, for instance if it doesn't receive any
response at all.
So you have knobs in the zone data, the server, the networking stack
and all of intermediating routers to twiddle. You can throw "buffer bloat"
in there too.
It's interesting that Dig automagically tries TCP first with ANY queries,
since that is not the default behavior with e.g. A queries.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
