Hello everyone I noticed some issues on one of DNS server I am managing. It was getting queries for couple of attacking domains and server was replying in TCP with 3700 bytes releasing very heavy packets. Now I see presence of some (legitimate) DNS forwarders and hence I don't wish to limit queries. As I understand there are two ways here for fix: 1. I can put a DNS rate limit in reply to ANY packets like say 5 replies in every one min. (but again I have some forwarders with quite a few machines behind them). 2. Other way is limiting TCP port 53 outbound size ...limiting to say 600-700 bytes or so. I am sure I am not first person experiencing this issue. Curious to hear how you are managing it. Also under what circumstances I can get a legitimate TCP query on port 53 whose reply exceeds a basic limit of less then 1000 bytes? Thanks. -- Anurag Bhatia anuragbhatia.com Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia> Skype: anuragbhatia.com
On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
I am sure I am not first person experiencing this issue. Curious to hear how you are managing it. Also under what circumstances I can get a legitimate TCP query on port 53 whose reply exceeds a basic limit of less then 1000 bytes?
I'm not a DNS guru so I don't have an exact answer. However my gut feeling is that putting in a place a rule to drop or rate limit DNS replies greater than X bytes is probably going to come back to bite you in the future. No one can predict the future of what will constitute legitimate DNS traffic.
Hi ML Yeah I can understand. Even DNSSEC will have issues with it which makes me worry about rule even today. On Wed, Dec 11, 2013 at 11:49 PM, ML <ml@kenweb.org> wrote:
On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
I am sure I am not first person experiencing this issue. Curious to hear how you are managing it. Also under what circumstances I can get a legitimate TCP query on port 53 whose reply exceeds a basic limit of less then 1000 bytes?
I'm not a DNS guru so I don't have an exact answer. However my gut feeling is that putting in a place a rule to drop or rate limit DNS replies greater than X bytes is probably going to come back to bite you in the future.
No one can predict the future of what will constitute legitimate DNS traffic.
-- Anurag Bhatia anuragbhatia.com Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia> Skype: anuragbhatia.com
I think is better idea to rate-limit your responses rather than limiting the size of them. AFAIK, bind has a way to do it. .as On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Hi ML
Yeah I can understand. Even DNSSEC will have issues with it which makes me worry about rule even today.
On Wed, Dec 11, 2013 at 11:49 PM, ML <ml@kenweb.org> wrote:
On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
I am sure I am not first person experiencing this issue. Curious to hear how you are managing it. Also under what circumstances I can get a legitimate TCP query on port 53 whose reply exceeds a basic limit of less then 1000 bytes?
I'm not a DNS guru so I don't have an exact answer. However my gut feeling is that putting in a place a rule to drop or rate limit DNS replies greater than X bytes is probably going to come back to bite you in the future.
No one can predict the future of what will constitute legitimate DNS traffic.
--
Anurag Bhatia anuragbhatia.com
Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia> Skype: anuragbhatia.com
dns-operations list is likely best suited for this question, but... If using BIND 9.9.4 you can set the system to use TCP for repeated queries to prevent spoofed ones from being replied to (ie: use yourself as an amplifier). There's lists of domains published that are used in abuse, eg: https://twitter.com/DnsSmurf http://dnsamplificationattacks.blogspot.nl/ https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blackl... You should restrict your DNS server (as much as possible) to only respond to your customer base. If you are using microsoft dns, STOP. It has no way to restrict the clients it replies to queries for. Set up real software to forward to it which does the filtering and scoping for your space. NSD and others also have the ability to configure rate-limiting, knowing what software you are using is an important key here for proper recommendations and guide pointers. Good luck, - jared On Dec 11, 2013, at 2:17 PM, Arturo Servin <arturo.servin@gmail.com> wrote:
I think is better idea to rate-limit your responses rather than limiting the size of them.
AFAIK, bind has a way to do it.
.as
On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Hi ML
Yeah I can understand. Even DNSSEC will have issues with it which makes me worry about rule even today.
On Wed, Dec 11, 2013 at 11:49 PM, ML <ml@kenweb.org> wrote:
On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
I am sure I am not first person experiencing this issue. Curious to hear how you are managing it. Also under what circumstances I can get a legitimate TCP query on port 53 whose reply exceeds a basic limit of less then 1000 bytes?
I'm not a DNS guru so I don't have an exact answer. However my gut feeling is that putting in a place a rule to drop or rate limit DNS replies greater than X bytes is probably going to come back to bite you in the future.
No one can predict the future of what will constitute legitimate DNS traffic.
--
Anurag Bhatia anuragbhatia.com
Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia> Skype: anuragbhatia.com
https://kb.isc.org/article/AA-01000 On Wed, Dec 11, 2013 at 2:17 PM, Arturo Servin <arturo.servin@gmail.com>wrote:
I think is better idea to rate-limit your responses rather than limiting the size of them.
AFAIK, bind has a way to do it.
.as
On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Hi ML
Yeah I can understand. Even DNSSEC will have issues with it which makes me worry about rule even today.
On Wed, Dec 11, 2013 at 11:49 PM, ML <ml@kenweb.org> wrote:
On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
I am sure I am not first person experiencing this issue. Curious to
hear
how you are managing it. Also under what circumstances I can get a legitimate TCP query on port 53 whose reply exceeds a basic limit of less then 1000 bytes?
I'm not a DNS guru so I don't have an exact answer. However my gut feeling is that putting in a place a rule to drop or rate limit DNS replies greater than X bytes is probably going to come back to bite you in the future.
No one can predict the future of what will constitute legitimate DNS traffic.
--
Anurag Bhatia anuragbhatia.com
Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia> Skype: anuragbhatia.com
Hi Doug I am using PowerDNS recursor. On Thu, Dec 12, 2013 at 12:51 AM, Doug Barton <dougb@dougbarton.us> wrote:
You don't mention what software you're using. If you're using BIND, ask this question on bind-users@isc.org. There is indeed a solution.
Doug
On 12/11/2013 10:06 AM, Anurag Bhatia wrote:
Hello everyone
I noticed some issues on one of DNS server I am managing.
-- Anurag Bhatia anuragbhatia.com Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia> Skype: anuragbhatia.com
If you are using BIND, take a look at: https://kb.isc.org/article/AA-01000 cv On Wed, Dec 11, 2013 at 1:06 PM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Hello everyone
I noticed some issues on one of DNS server I am managing. It was getting queries for couple of attacking domains and server was replying in TCP with 3700 bytes releasing very heavy packets. Now I see presence of some (legitimate) DNS forwarders and hence I don't wish to limit queries.
As I understand there are two ways here for fix:
1. I can put a DNS rate limit in reply to ANY packets like say 5 replies in every one min. (but again I have some forwarders with quite a few machines behind them).
2. Other way is limiting TCP port 53 outbound size ...limiting to say 600-700 bytes or so.
I am sure I am not first person experiencing this issue. Curious to hear how you are managing it. Also under what circumstances I can get a legitimate TCP query on port 53 whose reply exceeds a basic limit of less then 1000 bytes?
Thanks.
--
Anurag Bhatia anuragbhatia.com
Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia> Skype: anuragbhatia.com
Anurag Bhatia <me@anuragbhatia.com> wrote:
Now I see presence of some (legitimate) DNS forwarders and hence I don't wish to limit queries.
You are going to have to change your mind about this one. Open recursive resolvers are a really bad idea, unless you can afford a lot of time and cleverness to manage the abuse. Get your users to choose a more appropriate name server, and restrict your name server to your local networks. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.
http://www.team-cymru.org/Services/Resolvers/ The Internet will be a better place with less open resolvers around. --SiNA On Dec 12, 2013 5:32 AM, "Tony Finch" <dot@dotat.at> wrote:
Anurag Bhatia <me@anuragbhatia.com> wrote:
Now I see presence of some (legitimate) DNS forwarders and hence I don't wish to limit queries.
You are going to have to change your mind about this one. Open recursive resolvers are a really bad idea, unless you can afford a lot of time and cleverness to manage the abuse. Get your users to choose a more appropriate name server, and restrict your name server to your local networks.
Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also: http://openresolverproject.org/ Also, open resolvers are harmful to the Internet, so it would not surprise me to see organizations to begin blocking any communication with them by published lists open recursive resolvers. - - ferg. On 12/12/2013 8:23 AM, SiNA Rabbani wrote:
http://www.team-cymru.org/Services/Resolvers/
The Internet will be a better place with less open resolvers around.
--SiNA On Dec 12, 2013 5:32 AM, "Tony Finch" <dot@dotat.at> wrote:
Anurag Bhatia <me@anuragbhatia.com> wrote:
Now I see presence of some (legitimate) DNS forwarders and hence I don't wish to limit queries.
You are going to have to change your mind about this one. Open recursive resolvers are a really bad idea, unless you can afford a lot of time and cleverness to manage the abuse. Get your users to choose a more appropriate name server, and restrict your name server to your local networks.
Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 2317) Charset: utf-8 wj8DBQFSqhvyq1pz9mNUZTMRAiXgAKCDaQ1KmlVCjXKffz0bVmHRGpbwxgCfXEk7 tHQx8SXtY/xNFLm2L3Uu8x8= =tTIW -----END PGP SIGNATURE----- -- Paul Ferguson PGP Public Key ID: 0x63546533
The internet will be better without ISP refusing to apply BCP38. <end of comment> This is a pointless argument since the majority of the industry prefer going after the <flavor of the month> UDP flood instead of curbing the problem at its source once and for all. ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 12/12/13 11:23, SiNA Rabbani wrote:
http://www.team-cymru.org/Services/Resolvers/
The Internet will be a better place with less open resolvers around.
--SiNA On Dec 12, 2013 5:32 AM, "Tony Finch" <dot@dotat.at> wrote:
Anurag Bhatia <me@anuragbhatia.com> wrote:
Now I see presence of some (legitimate) DNS forwarders and hence I don't wish to limit queries. You are going to have to change your mind about this one. Open recursive resolvers are a really bad idea, unless you can afford a lot of time and cleverness to manage the abuse. Get your users to choose a more appropriate name server, and restrict your name server to your local networks.
Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.
On Dec 12, 2013, at 3:27 PM, Alain Hebert <ahebert@pubnix.net> wrote:
The internet will be better without ISP refusing to apply BCP38.
<end of comment>
This is a pointless argument since the majority of the industry prefer going after the <flavor of the month> UDP flood instead of curbing the problem at its source once and for all.
I would restate this as "Network Operators" vs "ISPs". If you operate a network and it allows spoofing internally, or facing your ISP, you are also at fault. - Jared
participants (10)
-
Alain Hebert
-
Anurag Bhatia
-
Arturo Servin
-
Carlos Vicente
-
Doug Barton
-
Jared Mauch
-
ML
-
Paul Ferguson
-
SiNA Rabbani
-
Tony Finch