Re: [dns-operations] Why would an MTA issue an ANY query instead ofan MX query?

> > are there legitimate reasons to continue supporting ANY queries? Good question. > They are very useful for debugging. I would regret their > disappearance. What about forcing TCP for ANY requests only? It would > limit ANY requests to people who don't spoof their source IP address. > > I do n

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

> > What type of queries? > > ANY queries for ihren.org with no UDP checksum: > > shaun# tcpdump -vv -n port 53 > 09:32:30.139803 IP (tos 0x0, ttl 251, id 24876, offset 0, flags > [none], proto UDP (17), length 66) 37.221.160.125.28832 > > 93.186.33.42.53: [no cksum] 18554+ [1au] ANY? ihren.o

Re: [dns-operations] DDoS botnet behaviour

It seems to me that it might be pertinent to split this discussion into clear threads. There are several different attack patterns being discussed here, and it is my opinion that they have distinct and different solutions, and may merit separated discussion, or at least identification. The < https

Re: [dns-operations] DDoS botnet behaviour

> From: Jim Reid > My logs tended to have a few hundred entries at a time for the same > (spoofed?) IP address. So as soon as I blackholed the last IP address > in the log file, entries for another would be appended. At 4am and > there's a caffeine deficit, this looks like a new client has

Re: [dns-operations] Rate limiting for DNS: list of practices

On Jun 10, 2012, at 1:17 PM, Stephane Bortzmeyer wrote: > On Sun, Jun 10, 2012 at 12:47:22PM -0700, > Paul Hoffman wrote > a message of 9 lines which said: > >> It would be useful if there was a somewhat-up-to-date document that >> we can point DNS operators towards that covers this. > > A b

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

> From: Paul Vixie > To: sth...@nethelp.no > Cc: dns-operati...@mail.dns-oarc.net > > I'm afraid we may need more control. If my clients are generating a DDoS > > attack at 20 responses per second, and I limit this to 5 per second - > > the C&C can get the same effect by mobilizing four times as

[dns-operations] DDoS botnet behaviour

On 10 Jun 2012, at 22:59, Kyle Creyts wrote: Someone mentioned that as soon as the spoofed client is blocked, that a new spoofed client is used... This behavior seems... strange. I did and I was wrong. My logs tended to have a few hundred entries at a time for the same (spoofed?) IP address

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Sun, Jun 10, 2012 at 2:33 PM, Paul Vixie wrote: >> I'm afraid we may need more control. If my clients are generating a DDoS >> attack at 20 responses per second, and I limit this to 5 per second - >> the C&C can get the same effect by mobilizing four times as many clients >> to do the job. > >

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Wouldn't an ANY query to a recursive ONLY return the cached records? On Sun, Jun 10, 2012 at 11:26 AM, wrote: >> "Not supporting" >> ANY queries would also have side effects - simply dropping the >> query maks the authoritative server appear unresponsive to the >> recursive server initiating the

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On 2012-06-10 4:47 PM, sth...@nethelp.no wrote: >> to that end, vernon schryver and i have been exploring rate limiting in >> BIND 9. there's a patch available, which i've so far offered only to >> anyone whose server is currently getting abused. what i'm worried about >> is that our profile for go

Re: [dns-operations] Rate limiting for DNS: list of practices

On Sun, Jun 10, 2012 at 12:47:22PM -0700, Paul Hoffman wrote a message of 9 lines which said: > It would be useful if there was a somewhat-up-to-date document that > we can point DNS operators towards that covers this. A beginning is here

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Jun 10, 2012, at 1:24 PM, Kyle Creyts wrote: > So, list, I am young and foolish. Aside from being in the RFC, are there > legitimate reasons to continue supporting ANY queries? > Yes, you don't have that power. If you issue an RFC that ANY queries are deprecated, nothing will happen. People

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Hi Roland. At 03:33 10-06-2012, Dobbins, Roland wrote: If that's it, then would asking djb to change its behavior so as to issue TXT requests to look for SPF records make sense? There is a thread at https://lists.dns-oarc.net/pipermail/dns-operations/2009-October/004542.html about whether cha

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Jun 10, 2012, at 12:17 PM, Dobbins, Roland wrote: > Clue appreciated, thanks! Close reading of RFC 1035 shows that sending RD=1 ANY queries is taking a huge chance.. An ANY RD=1 query to a resolver basically means 'give me what you have in the cache', and if only if you have nothing, go out

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

> > limiting EDNS responses to 1460 bytes, as suggested [by me], will > > block quite a few legitimate replies (not just ANY replies). > > Why? The response will be sent, just with a TC bit, and the client, if > it is not lying about its IP address, will retry with TCP. No > blocking. Agreed, thi

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Sun, Jun 10, 2012 at 06:47:22PM +0200, sth...@nethelp.no wrote a message of 44 lines which said: > limiting EDNS responses to 1460 bytes, as suggested [by me], will > block quite a few legitimate replies (not just ANY replies). Why? The response will be sent, just with a TC bit, and the cl

[dns-operations] Rate limiting for DNS: list of practices

The "annoying DDoS attack on ns0.rfc1035.com" thread brought some suggestions of how to do rate limiting for DNS owners under attack. It would be useful if there was a somewhat-up-to-date document that we can point DNS operators towards that covers this. Yes, I am volunteering to collect the inf

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

On 10 Jun 2012, at 17:20, Jan Inge Sande wrote: I'm seeing the same attack as Jim Reid described on one of my nameservers too (just found the "source"/target address on Gmane and signed up for the mailinglist), at ~3Kqps/1.3Mbits at the moment (in Germany, AS24940). No UDP checksum, the sou

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

> "Not supporting" > ANY queries would also have side effects - simply dropping the > query maks the authoritative server appear unresponsive to the > recursive server initiating the query. Note that in many cases the server receiving the ANY query is a recursive server, not an authoritative serve

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Jun 10, 2012, at 16:23, Paul Vixie wrote: > On 2012-06-10 12:59 PM, Patrick W. Gilmore wrote: A single ANY query for a domain gives you the NS, MX, TXT and SPF records, plus any A/ record present. At scale, who knows, the reduction in number of queries probably adds up. >>>

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Sun, Jun 10, 2012 at 04:24:51AM -0700, Kyle Creyts wrote: > So, list, I am young and foolish. Aside from being in the RFC, are there > legitimate reasons to continue supporting ANY queries? ANY queries are not bad per se, even though their use in production queries is ill advised. Big response

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

SMTP predates the "MX" rrtype. In RFC821, "c...@stdlib.net" means "connect to the host stdlib.net" and host records (e.g. "A" and now "") are what matters [*]. RFC1123 and later RFC2821 regularised the "MX" rrtype for mail routing, obviating the need for the host records at a mail domain. Howe

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

> > One word: qmail. Google "qmail dns any query". > > thinking about or acting against ANY is bad infosec economics. any > investment along those lines is wasted, since ANY is merely the low > hanging fruit, and an attacker need only switch over to TXT or RRSIG or > NSEC to get a similar amplific

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

Den 10. juni 2012 kl. 16:11 skrev Paul Vixie: > On 2012-06-10 8:45 AM, Jim Reid wrote: >> On 10 Jun 2012, at 09:19, DTNX Postmaster wrote: >>> The iptables rules mentioned in the first comment work well for us >> >> Well for starters, I [dw]on't use Linux. The server runs FreeBSD. > > what f-ro

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

So if enough people stopped answering users of qmail might change the field, even if the author won't change the code. --Michael (from an iPhone) On Jun 10, 2012, at 5:29, sth...@nethelp.no wrote: >> Clue appreciated, thanks! > > One word: qmail. Google "qmail dns any query". > > It would a

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On 2012-06-10 12:59 PM, Patrick W. Gilmore wrote: >>> A single ANY query for a domain gives you the NS, MX, TXT and SPF >>> records, plus any A/ record present. At scale, who knows, the >>> reduction in number of queries probably adds up. >> >> It strikes me as laziness and cost-shifting. > > I

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On 2012-06-10 10:29 AM, sth...@nethelp.no wrote: >> Clue appreciated, thanks! > One word: qmail. Google "qmail dns any query". thinking about or acting against ANY is bad infosec economics. any investment along those lines is wasted, since ANY is merely the low hanging fruit, and an attacker need

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

On 2012-06-10 8:45 AM, Jim Reid wrote: > On 10 Jun 2012, at 09:19, DTNX Postmaster wrote: >> The iptables rules mentioned in the first comment work well for us > > Well for starters, I [dw]on't use Linux. The server runs FreeBSD. what f-root has done for the last ten years (also on freebsd) is: a

Re: [dns-operations] paying djb

> Chancellor Merkel hasn't returned my calls even though I offered her > $100tn to fix the Euro crisis. She hangs out at https://twitter.com/Queen_Europe if you want to try again... ;-) -JP ___ dns-operations mailing list dns-operations@lists.dn

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Composed on a virtual keyboard, please forgive typos. On Jun 10, 2012, at 5:36, "Dobbins, Roland" wrote: > On Jun 10, 2012, at 6:25 PM, DTNX Postmaster wrote: > >> A single ANY query for a domain gives you the NS, MX, TXT and SPF records, >> plus any A/ record present. At scale, who knows,

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Jun 10, 2012, at 7:30 PM, Noel Butler wrote: > Indeed, since he publicly declared qmail open source and abandoned back in, > ohh, 2008 IIRC Never mind, then. I stuck with sendmail, so never mucked about with qmail. --- Rol

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Sun, 2012-06-10 at 12:59 +0200, Jan-Piet Mens wrote: > > If that's it, then would asking djb to change its behavior > > ROFL. Ask DJB to change its behavior? Good luck with that. ;-) > > Indeed, since he publicly declared qmail open source and abandoned back in, ohh, 2008 IIRC (even

[dns-operations] ANY queries and rate limiting

On 10 Jun 2012, at 12:57, Stephane Bortzmeyer wrote: What about forcing TCP for ANY requests only? It would be worth measuring and testing IMO. I doubt it would be a change for the better. Forcing kernels to maintain zillions of PCBs for short-lived TCP connections would be very bad. Thoug

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Sun, Jun 10, 2012 at 11:32:25AM +, Dobbins, Roland wrote a message of 20 lines which said: > I know his reputation (though I don't know him personally). I'll > ask him, see if he replies. Last time I tried, "asking Him" included a pledge to pay him a lot of money just in case he decid

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Sun, Jun 10, 2012 at 04:24:51AM -0700, Kyle Creyts wrote a message of 65 lines which said: > are there legitimate reasons to continue supporting ANY queries? They are very useful for debugging. I would regret their disappearance. What about forcing TCP for ANY requests only? It would limit

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

On Sun, Jun 10, 2012 at 11:05:19AM +0100, Paul J. Smith wrote a message of 38 lines which said: > You need to respond to ANY's if you want mail delivery to your > domains. There are some popular mail servers out there that don't > send MX requests, only ANY to find out where to deliver email

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

ANY queries, in my *limited* experience, have had higher latencies by an order or two of magnitude. but that was mostly when I was doing open resolver research a year or two ago. On Jun 10, 2012 7:25 AM, "DTNX Postmaster" wrote: > On Jun 10, 2012, at 12:33, Dobbins, Roland wrote: > > > On Jun 10,

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Jun 10, 2012, at 6:25 PM, DTNX Postmaster wrote: > A single ANY query for a domain gives you the NS, MX, TXT and SPF records, > plus any A/ record present. At scale, who knows, the reduction in number > of queries probably adds up. It strikes me as laziness and cost-shifting. > And the

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Jun 10, 2012, at 5:59 PM, Jan-Piet Mens wrote: > Ask DJB to change its behavior? Good luck with that. I know his reputation (though I don't know him personally). I'll ask him, see if he replies. --- Roland Dobbins //

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Jun 10, 2012, at 12:33, Dobbins, Roland wrote: > On Jun 10, 2012, at 5:29 PM, wrote: > >> One word: qmail. Google "qmail dns any query". > > If that's it, then would asking djb to change its behavior so as to issue TXT > requests to look for SPF records make sense? > > I know that doesn't

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

So, list, I am young and foolish. Aside from being in the RFC, are there legitimate reasons to continue supporting ANY queries? On Jun 10, 2012 7:03 AM, "Jan-Piet Mens" wrote: > > If that's it, then would asking djb to change its behavior > > ROFL. Ask DJB to change its behavior? Good luck with t

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

> If that's it, then would asking djb to change its behavior ROFL. Ask DJB to change its behavior? Good luck with that. ;-) -JP ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-op

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

> > One word: qmail. Google "qmail dns any query". > > If that's it, then would asking djb to change its behavior so as to issue TXT > requests to look for SPF records make sense? My understanding is that djb has issued no patches to qmail after the last release version (several years ago). Ther

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Jun 10, 2012, at 5:29 PM, wrote: > One word: qmail. Google "qmail dns any query". If that's it, then would asking djb to change its behavior so as to issue TXT requests to look for SPF records make sense? I know that doesn't do anything for currently-deployed MTAs, but one has to start so

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

> Clue appreciated, thanks! One word: qmail. Google "qmail dns any query". It would actually be *good* to stop answering the ANY queries if that would force qmail installations do something about this behavior. But I don't have high hopes... Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Jun 10, 2012, at 5:22 PM, Kyle Creyts wrote: > Spf? So, they're parsing through the list of answers for TXT records which include 'v=spf1'? --- Roland Dobbins // Luck is the residu

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Spf? On Jun 10, 2012 6:17 AM, "Dobbins, Roland" wrote: > > Clue appreciated, thanks! > > --- > Roland Dobbins // > > Luck is the residue of opportunity and design. > >

[dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Clue appreciated, thanks! --- Roland Dobbins // Luck is the residue of opportunity and design. -- John Milton ___ dns

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

Nope - I tested this some time ago - mail delivery from certain large providers will fail as they don't do MX requests, even if the ANY fail's it seems. -Original Message- From: dns-operations-boun...@lists.dns-oarc.net [mailto:dns-operations-boun...@lists.dns-oarc.net] On Behalf Of DTNX

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

On Jun 10, 2012, at 10:59, Dobbins, Roland wrote: > On Jun 10, 2012, at 3:45 PM, Jim Reid wrote: > >> And why pick on my name server which has never done anyone any harm? > > They're just looking for ANY records, there's no rhyme or reason to it. > They're spoofing the IP address of the target

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

You need to respond to ANY's if you want mail delivery to your domains. There are some popular mail servers out there that don't send MX requests, only ANY to find out where to deliver email to. Rate limiting is the way to go and stops it dead. Whilst you still get lots of requests, they dr

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

On Jun 10, 2012, at 10:45, Jim Reid wrote: > On 10 Jun 2012, at 09:19, DTNX Postmaster wrote: > >> What type of queries? > > ANY queries for ihren.org with no UDP checksum: > > shaun# tcpdump -vv -n port 53 > 09:32:30.139803 IP (tos 0x0, ttl 251, id 24876, offset 0, flags [none], proto > UDP (

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

On Jun 10, 2012, at 3:45 PM, Jim Reid wrote: > And why pick on my name server which has never done anyone any harm? They're just looking for ANY records, there's no rhyme or reason to it. They're spoofing the IP address of the target they're attacking - they're using your server for reflectio

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

> can i interest you in an experimental (thus far) patch to implement > per-{client,response} rate limiting in bind? Tony Finch has been working on query-rate limiting for BIND [1]: > This version of BIND has been modified by Tony Finch at the University > of Cambridge Computing Service to add p

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

On 10 Jun 2012, at 09:19, DTNX Postmaster wrote: What type of queries? ANY queries for ihren.org with no UDP checksum: shaun# tcpdump -vv -n port 53 09:32:30.139803 IP (tos 0x0, ttl 251, id 24876, offset 0, flags [none], proto UDP (17), length 66) 37.221.160.125.28832 > 93.186.33.42.53: [

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

On Jun 10, 2012, at 07:10, Jim Reid wrote: > My name server has been getting hammered with queries for ihren.org -- one of > the zones it serves -- since around 00:00 GMT today. [The attack may have > started earlier and I just didn't notice it.] The box is getting ~400 qps for > this name. The