nanog mailing list archives
Re: Best practice on TCP replies for ANY queries
From: Jared Mauch <jared () puck nether net>
Date: Wed, 11 Dec 2013 14:26:22 -0500
dns-operations list is likely best suited for this question, but... If using BIND 9.9.4 you can set the system to use TCP for repeated queries to prevent spoofed ones from being replied to (ie: use yourself as an amplifier). There's lists of domains published that are used in abuse, eg: https://twitter.com/DnsSmurf http://dnsamplificationattacks.blogspot.nl/ https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt You should restrict your DNS server (as much as possible) to only respond to your customer base. If you are using microsoft dns, STOP. It has no way to restrict the clients it replies to queries for. Set up real software to forward to it which does the filtering and scoping for your space. NSD and others also have the ability to configure rate-limiting, knowing what software you are using is an important key here for proper recommendations and guide pointers. Good luck, - jared On Dec 11, 2013, at 2:17 PM, Arturo Servin <arturo.servin () gmail com> wrote:
I think is better idea to rate-limit your responses rather than limiting the size of them. AFAIK, bind has a way to do it. .as On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia <me () anuragbhatia com> wrote:Hi ML Yeah I can understand. Even DNSSEC will have issues with it which makes me worry about rule even today. On Wed, Dec 11, 2013 at 11:49 PM, ML <ml () kenweb org> wrote:On 12/11/2013 1:06 PM, Anurag Bhatia wrote:I am sure I am not first person experiencing this issue. Curious to hear how you are managing it. Also under what circumstances I can get a legitimate TCP query on port 53 whose reply exceeds a basic limit of less then 1000 bytes?I'm not a DNS guru so I don't have an exact answer. However my gut feeling is that putting in a place a rule to drop or rate limit DNS replies greater than X bytes is probably going to come back to bite you in the future. No one can predict the future of what will constitute legitimate DNS traffic.-- Anurag Bhatia anuragbhatia.com Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia> Skype: anuragbhatia.com
Current thread:
- Best practice on TCP replies for ANY queries Anurag Bhatia (Dec 11)
- Re: Best practice on TCP replies for ANY queries ML (Dec 11)
- Re: Best practice on TCP replies for ANY queries Anurag Bhatia (Dec 11)
- Re: Best practice on TCP replies for ANY queries Arturo Servin (Dec 11)
- Re: Best practice on TCP replies for ANY queries Jared Mauch (Dec 11)
- Re: Best practice on TCP replies for ANY queries Carlos Vicente (Dec 11)
- Re: Best practice on TCP replies for ANY queries Anurag Bhatia (Dec 11)
- Re: Best practice on TCP replies for ANY queries ML (Dec 11)
- Re: Best practice on TCP replies for ANY queries Doug Barton (Dec 11)
- Re: Best practice on TCP replies for ANY queries Anurag Bhatia (Dec 11)
- Re: Best practice on TCP replies for ANY queries Carlos Vicente (Dec 11)
- Re: Best practice on TCP replies for ANY queries Tony Finch (Dec 12)
- Re: Best practice on TCP replies for ANY queries SiNA Rabbani (Dec 12)
- Re: Best practice on TCP replies for ANY queries Paul Ferguson (Dec 12)
- Re: Best practice on TCP replies for ANY queries Alain Hebert (Dec 12)
- Re: Best practice on TCP replies for ANY queries Jared Mauch (Dec 12)
- Re: Best practice on TCP replies for ANY queries SiNA Rabbani (Dec 12)