This past weekend we started receiving bursts of lookups on our DNS server for "localhost." We blocked our subscriber abusing this lookup (most assuredly malware and not intentional) but curious what safeguards you put in place for DOS attacks on your DNS servers. 1. As an ISP do you see a problem with blocking localhost on your DNS servers? (we don't see any validity to these requests but checking with you to see if we've overlooked something). 2. Do you have an actual localhost zone that issues 127.0.0.1? 3. Do you block >512 Bytes DNS requests? 4. Do you block non-UDP DNS requests or rate-limit requests? 5. Anything else you block/filter on your DNS servers? -=JGR
On 11/17/2014 01:11 PM, Radke, Justin wrote:
This past weekend we started receiving bursts of lookups on our DNS server for "localhost." We blocked our subscriber abusing this lookup (most assuredly malware and not intentional) but curious what safeguards you put in place for DOS attacks on your DNS servers.
1. As an ISP do you see a problem with blocking localhost on your DNS servers? (we don't see any validity to these requests but checking with you to see if we've overlooked something).
Not really
2. Do you have an actual localhost zone that issues 127.0.0.1?
Yes
3. Do you block >512 Bytes DNS requests?
No.
4. Do you block non-UDP DNS requests or rate-limit requests?
Yes
5. Anything else you block/filter on your DNS servers?
block/limit "any" queries block/limit "root NS" queries block anycast/broadcast source address packets block fragmented packets
4. Do you block non-UDP DNS requests or rate-limit requests?
Yes
Why? RFC5966 DNS Transport over TCP - Implementation Requirements You make it very hard for DNSSEC
5. Anything else you block/filter on your DNS servers?
block fragmented packets
Why? You then block EDNS0, which DNSSEC uses. (UDP packets up to 4096 bytes, then TCP) /Anders
3. Do you block >512 Bytes DNS requests?
How many > 512 byte DNS requests are people seeing? Perhaps the requester meant > 512 byte DNS responses? Blocking > 512 byte responses would be ... unfortunate.
4. Do you block non-UDP DNS requests or rate-limit requests? Yes
I presume (hope) the "yes" applies rate limiting? Blocking non-UDP DNS is a bad idea. As RFC 5966 states: "... it should be noted that failure to support TCP (or the blocking of DNS over TCP at the network layer) may result in resolution failure and/or application-level timeouts."
block anycast/broadcast source address packets
How do you know if a source address is an anycast address?
block fragmented packets
Why would you want to block fragmented packets? Regards, -drc
Radke, Justin <jradke@canbytel.com> wrote:
2. Do you have an actual localhost zone that issues 127.0.0.1?
Yes. I think this is best practice though it isn't required by RFC 6303 and isn't set up by default in BIND like the empty reverse DNS zones.
3. Do you block >512 Bytes DNS requests?
512 byte requests are unlikely to be valid. Blocking >512 byte answers breaks the DNS.
4. Do you block non-UDP DNS requests or rate-limit requests?
Blocking TCP requests breaks the DNS. See RFC 5966.
5. Anything else you block/filter on your DNS servers?
Have a look at these slides, especially the last 12 on mitigating abuse of recursive servers. http://www.isc.org/wp-content/uploads/2014/11/DNS-RRL-LISA14.pdf Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Northeast Viking, North Utsire: Southeasterly becoming variable, 3 or 4. Slight or moderate. Showers. Good.
participants (5)
-
Anders Löwinger
-
David Conrad
-
Radke, Justin
-
Stephen Satchell
-
Tony Finch