[dns-operations] baby/bathwater [Re: Why would an MTA issue an ANY query instead of an MX query?]

On Tue, Jun 12, 2012 at 03:32:56AM +, Vernon Schryver wrote: > Joe and Joan should be using their ISP's validating, load balancing, > well (or at least somewhat) maintained DNS servers, just as they should > be using their ISP's SMTP systems. I'm sure my government loves you already. Why not

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Mon, Jun 11, 2012 at 11:32 PM, Vernon Schryver wrote: >> To: Vernon Schryver >> Cc: dns-operati...@mail.dns-oarc.net >> From: Mark Andrews > >> > Why aren't ISPs blocking UDP source port 53 to the core under their >> > old no-servers-for-consumers term of service? >> >> Perhaps because it is

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

> To: Vernon Schryver > Cc: dns-operati...@mail.dns-oarc.net > From: Mark Andrews > > Why aren't ISPs blocking UDP source port 53 to the core under their > > old no-servers-for-consumers term of service? > > Perhaps because it is a legitimate, though unwise, client source port > that is in lots

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Reminder that Cymru will be happy to daily generate a list of open DNS resolvers in your network: http://www.team-cymru.org/Services/Resolvers/ Frank -Original Message- From: dns-operations-boun...@lists.dns-oarc.net [mailto:dns-operations-boun...@lists.dns-oarc.net] On Behalf Of Kyle Cre

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

In message <201206120146.q5c1kq6t057...@calcite.rhyolite.com>, Vernon Schryver writes: > > From: Chris Adams > > > Once upon a time, Mark Andrews said: > > > If we have Attacker -> CPE -> Auth -> CPE -> Target why isn't the CPE > > > returning answers from its cache? > > > > Most of the CPE ju

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Er, unless it is from internal. Then there is a distinct and different problem, which would explain all behavior models... Inside attacker, non-cached, proxy: Attacker -> Proxy -> Recursive -> Auth -> Recursive -> Proxy -> Target Inside attacker, cached result (DNS lives outside NAT): Attacker

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

bigger question: why allow the UDP 53 to CPE to be answered as if it were from internal? the external connectivity to port 53 should be able to be forwarded at the consumer's discretion, but should certainly not be answered by the DNS proxy! On Mon, Jun 11, 2012 at 9:46 PM, Vernon Schryver wrote:

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

> From: Chris Adams > Once upon a time, Mark Andrews said: > > If we have Attacker -> CPE -> Auth -> CPE -> Target why isn't the CPE > > returning answers from its cache? > > Most of the CPE just run a DNS proxy (e.g. dnsmasq on Linux-based > boxes), not a full cache. Even if they ran a cache,

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

In message <20120612001414.ga27...@hiwaay.net>, Chris Adams writes: > Once upon a time, Mark Andrews said: > > If we have Attacker -> CPE -> Auth -> CPE -> Target why isn't the CPE > > returning answers from its cache? > > Most of the CPE just run a DNS proxy (e.g. dnsmasq on Linux-based > boxes

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Once upon a time, Mark Andrews said: > If we have Attacker -> CPE -> Auth -> CPE -> Target why isn't the CPE > returning answers from its cache? Most of the CPE just run a DNS proxy (e.g. dnsmasq on Linux-based boxes), not a full cache. Even if they ran a cache, the attack would still be CPE->Ta

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

If we have Attacker -> CPE -> Auth -> CPE -> Target why isn't the CPE returning answers from its cache? How much unauthenticated amplification in the DNS is acceptable? Do we need to authenticate any response that results in amplification? If we do how do we get from where we are now to where we

[dns-operations] dns response rate limiting (DNS RRL) patch available for testing

Vernon Schryver and Paul Vixie have been working on DNS Response Rate Limiting (DNS RRL) as a patch set to BIND9 (9.9.1-P1 or 9.8.3-P1) and we are ready for broader external testing. Details on how to fetch the patches and specifications are at: http://www.redbarn.org/dns/ratelimits A note f

[dns-operations] etc (was Re: Restrict ANY query to TCP ?)

On 2012-06-11 5:46 PM, Olafur Gudmundsson wrote: > Paul, > how about much simpler configuration option to force all > any queries to be reissued over TCP, > restrict-any-udp "yes/no"; i think somebody has patented that. while i'm not a lawyer i don't think the RRL patch set runs afoul of that

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

* Kyle Creyts: > Wouldn't an ANY query to a recursive ONLY return the cached records? This is implementation-dependent, and you can make sure that the cache contains sufficient amounts of data anyway. ___ dns-operations mailing list dns-operations@lists

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

In case anyone wants a little help finding out if their name servers are being hit with ANY queries, a new version of dnstop has been released with a filter to show only the ANY queries. You can get the source code at http://dns.measurement-factory.com/tools/dnstop/src/dnstop-20120611.tar.gz

Re: [dns-operations] Restrict ANY query to TCP ? Re: Why would an MTA issue an ANY query instead of an MX query?

On 2012/06/11, at 13:57, Thomas Dupas wrote: > Well, partly from what I see. > Posts from yesterday already mentioned that many sources are not spoofed for > the actual query the nameserver sees. > If I look at our logs I see that most of the any queries come from > north-america, not china. Th

Re: [dns-operations] Restrict ANY query to TCP ? Re: Why would an MTA issue an ANY query instead of an MX query?

> how about much simpler configuration option to force all > any queries to be reissued over TCP, > restrict-any-udp "yes/no"; as i charge by the byte, i like it a lot. ymmv. randy ___ dns-operations mailing list dns-operations@lists.dns-oarc.ne

Re: [dns-operations] Restrict ANY query to TCP ? Re: Why would an MTA issue an ANY query instead of an MX query?

Well, partly from what I see. Posts from yesterday already mentioned that many sources are not spoofed for the actual query the nameserver sees. If I look at our logs I see that most of the any queries come from north-america, not china. They use spoofed source ip's to reach the cpe, but the cpe

[dns-operations] Restrict ANY query to TCP ? Re: Why would an MTA issue an ANY query instead of an MX query?

Paul, how about much simpler configuration option to force all any queries to be reissued over TCP, restrict-any-udp "yes/no"; And have Bind reply with TC=1 and empty answer section on ANY UDP queries. This is simple, no state needed, no firewall rules, and gets rid of spoofed addresse

Re: [dns-operations] DDoS botnet behaviour

> From: Tony Finch > To: Vernon Schryver > cc: dns-operati...@mail.dns-oarc.net > At the moment I'm just using BIND's sockaddr_hash routine, adapted to hash > on the network prefix and to provide two variant hashes. I think you would do better by treating the IP address as an integer (includi

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Jun 11, 2012, at 10:07 PM, Vernon Schryver wrote: > But spending any long term effort on ANY queries in this context All I'm saying is that tactically filtering out ANY queries whilst one is under attack may be a valid tactical response, and that encouraging software developers not to make

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On Jun 11, 2012, at 6:34 PM, Tony Finch wrote: > For a domain with DNSSEC you get almost as much data in return to an MX > query - 2KB vs 1.5KB for cam.ac.uk. They've been doing that for a while. --- Roland Dobbins //

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

> From: Tony Finch > I think it's wrong to focus on ANY queries: restricting them just > encourages the attackers to move on to another query type. For a domain > with DNSSEC you get almost as much data in return to an MX query - 2KB vs > 1.5KB for cam.ac.uk. Today I see 2232 byte responses for

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Vernon Schryver wrote: > > My hope and almost ambition for the code I've been working on is > find a default set of parameters response rate limiting parameters > to reduce the nuisance of open resolvers. Do you expect the parameters to differ for reflected amplification attacks on authoritative

Re: [dns-operations] DDoS botnet behaviour

Vernon Schryver wrote: > > How many hash functions are you using, what are they, and how do you > know that they are sufficiently independent to give a tolerable false > positive rate without using as much RAM as a single classic hash table? You can use a linear combination of two hash functions

Re: [dns-operations] DDoS botnet behaviour

> From: Tony Finch > To: Vernon Schryver > cc: dns-operati...@mail.dns-oarc.net > The reason I'm basing my work on a Bloom filter is to avoid any per-client > scaling costs. There's a fixed per-packet overhead, a fixed memory cost > (which should be scaled with the server's overall load), and a

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

> Is it possible to determine the home gateway device (CPE) make and model > via SNMP? If they have open DNS proxies they probably have SNMP as well. The CPE I use (Fritzbox -- quite popular in .DE) has no SNMP agent on it (at least not on the not-jailbroken versions :) -JP __

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

Is it possible to determine the home gateway device (CPE) make and model via SNMP? If they have open DNS proxies they probably have SNMP as well. - Jason On 6/11/12 3:24 AM, "sth...@nethelp.no" wrote: >> I see the same query against my private domain. It started roughly at >> the 25. of May.

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

Jim Reid wrote: > > I posted here to see if anyone else is experiencing this behaviour or can > identify the root cause. DDoS attacks against "important" name servers are > fairly common. Could the bad guys now be picking easier targets that may be > more likely to fall over? And why pick on my na

Re: [dns-operations] DDoS botnet behaviour

Vernon Schryver wrote: > > The second issue concerns log noise and the popular enthusiasm for > using Bloom filters for DNS response rate limiting. I've heard more > than one suggestion for using Bloom filters for DNS response rate > limiting. Bloom filters are a great idea for some things but I

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Colm MacCárthaigh wrote: > From the point of view of an SMTP server, an "ANY" query is a rational > way to find all of the records it will need, in one pass. That isn't actually why qmail is making an ANY query - it isn't interested in more than one RR type. There is exactly one point in qmail

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Stephane Bortzmeyer wrote: > > What about forcing TCP for ANY requests only? I think it's wrong to focus on ANY queries: restricting them just encourages the attackers to move on to another query type. For a domain with DNSSEC you get almost as much data in return to an MX query - 2KB vs 1.5KB fo

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

> > What I don't understand is that the source adresses are mostly out > > of dynamic address pools from broadband ISP around the world. > > So the victims are residentinal users? > > No, most likely the residential users have CPEs with DNS proxies which > are open to queries from the WAN side. Th

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

> > What about rate limiting clients which are not keeping the > TTL value? > > We are talking about rate limiting on authoritative name > servers, right? > > Not *only* on authoritative name servers. It is also relevant for > recursive name servers. In general, yes of course. But I had ANY quer

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

On 2012-06-11 7:19 AM, Zuleger, Holger, Vodafone Germany wrote: > What I have in mind is, that the recursive name server will send back > what is (actually) in the cache. The clients doesn't know if the > answer is full-fledged. So sending ANY query to recursive servers is > almost useless. i reme

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

> Someone mentioned that as soon as the spoofed client is blocked, that > a new spoofed client is used... This behavior seems... strange. How I can't confirm this behaviour. > quick is this shift? How would one know when to shift the target? The > modes I _can_ come up with largely involve having

Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

> I see the same query against my private domain. It started roughly at > the 25. of May. > What is common is the UDPsize of 9000 and that both domains are signed. > Because of that the amplification factor is mutch higher. > > What I don't understand is that the source adresses are mostly out > o

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

> What about rate limiting clients which are not keeping the TTL value? > We are talking about rate limiting on authoritative name servers, right? Not *only* on authoritative name servers. It is also relevant for recursive name servers. Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

> > "Not supporting" > > ANY queries would also have side effects - simply dropping the > > query maks the authoritative server appear unresponsive to the > > recursive server initiating the query. > > Note that in many cases the server receiving the ANY query is a > recursive server, not an autho

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

> > to that end, vernon schryver and i have been exploring rate > limiting in > > BIND 9. there's a patch available, which i've so far offered only to > > anyone whose server is currently getting abused. what i'm great. > > config { > > // ... > > rate-limit { > > res