On 28/03/2013 21:38, Michael Mol wrote: > On 03/28/2013 03:16 PM, Alan McKinnon wrote: >> On 28/03/2013 17:38, Michael Mol wrote: >>> On 03/28/2013 04:51 AM, Norman Rieß wrote: >>>> Hello, >>>> >>>> i am using pdns recursor to provide a dns server which should be usable >>>> for everybody.The problem is, that the server seems to be used in dns >>>> amplification attacks. >>>> I googled around on how to prevent this but did not really find >>>> something usefull. >>>> >>>> Does anyone got an idea about this? >>> >>> I'm not sure it can be done. You can't make a resolver available to >>> "everybody" without somebody in that "everybody" group abusing it, and >>> that's exacly what happens in a DNS amplification attack. >>> >>> Restrict your resolver to be accessible only to your network or, at >>> most, those of the specific group of people you're seeking to help. >>> >>> You *might* try restricting the resolver to only respond to TCP requests >>> rather than UDP requests, >> >> NO NO NO NO NO >> >> Under no circumstances ever do this. The service breaks horribly when >> you do this and it has to work even remotely hard. Most likely your ISP >> will outright ban you for that if you use the ISP's caches. I knwo I do, >> and so does every other major ISP in this country. > > Er, what? When we're talking about a recursive resolver requiring > clients connecting to it to use TCP, what does upstream care? He's > talking about running his own open DNS server.
Because the list is indexed and archived and Googled forever. Others may get the idea that TCP-only DNS caches are a good idea in general. Have you ever had to deal with the insanity caused when Windows Servers insist on using TCP only, and YOU are the upstream? I understand what the OP was suggesting, but he did not limit the usefulness and scope of the suggestion, so I did. > >> >> but if the resolver sends response data along >>> with that first SYN+ACK, then nothing is solved, and you've opened >>> yourself up to a SYN flood-based DoS attack. (OTOH, if your resolver >>> went offline as a result of a SYN flood, at least it wouldn't be part of >>> an amplification attack any longer...) >> >> >> Or just use the ISP's DNS caches. In the vast majority of cases, the ISP >> knows how to do it right and the user does not. > > Generally true, though I've known people to choose not to use ISP caches > owing to the ISP's implementation of things like '*' records, ISPs > applying safety filters against some hostnames, and concerns about the > persistence of ISP request logs. I get a few of those too every now and again. I know for sure in my case their fears are unfounded, but can't prove it. Those few (and they are few) can go ahead and deploy their own cache. I can't stop them, they are free to do it, they are also free to ignore my advice of they choose. -- Alan McKinnon alan.mckin...@gmail.com
