nanog mailing list archives
Re: Comcast residential DNS contact
From: Stephen Satchell <list () satchell net>
Date: Wed, 03 Dec 2014 07:45:48 -0800
No. When I've been victim of DNS amplification attacks, the packet capture showed that the attacker used ANY queries. Legit ANY queries on my recursive servers? Damn few. So I block. Not so on my authoritative servers, where ANY queries on the domains I host zone files for have not caused any problems, for anyone. Another thing I did was slow down the port for my recursive DNS servers to 10 megabits/s. That means that my upstream link can't be saturated by DNS amplification. Oh, and I rate-limit incoming queries to my DNS servers by IP address range -- an attack from one subnet won't affect queries from other parts of the net. Queries from my IP address range have a high cap; J random IP addresses have a lower cap. On 12/03/2014 07:28 AM, Jared Mauch wrote:
So have A record queries. Do you filter those as well? Jared MauchOn Dec 3, 2014, at 9:08 AM, Stephen Satchell <list () satchell net> wrote:On 12/03/2014 04:04 AM, Niels Bakker wrote: * shortdudey123 () gmail com (Grant Ridder) [Wed 03 Dec 2014, 12:54 CET]:Both of Google’s public DNS servers return complete results every time and one of the two comcast ones works fine. If this is working by design, can you provide the RFC with that info?An ANY query will typically return only what's already in the cache. So if you ask for MX records first and then query the same caching resolver for ANY it won't return, say, any TXT records that may be present at the authoritative nameserver. This could be implementation dependent, but Comcast's isn't wrong, and you should not rely on ANY queries returning full data. This has been hashed out to tears in the past, for example when qm**l used to do these queries in an attempt to optimise DNS query volumes and RTT.At the ISP I consult to, I filter all ANY queries, because they have been used for DNS amplification attacks.
Current thread:
- Comcast residential DNS contact Grant Ridder (Dec 03)
- Re: Comcast residential DNS contact Niels Bakker (Dec 03)
- Re: Comcast residential DNS contact Grant Ridder (Dec 03)
- Re: Comcast residential DNS contact Niels Bakker (Dec 03)
- Re: Comcast residential DNS contact Stephen Satchell (Dec 03)
- Re: Comcast residential DNS contact Pavel Odintsov (Dec 03)
- Re: Comcast residential DNS contact Jared Mauch (Dec 03)
- Re: Comcast residential DNS contact Stephen Satchell (Dec 03)
- Re: Comcast residential DNS contact Jared Mauch (Dec 03)
- Re: Comcast residential DNS contact Brian Rak (Dec 03)
- Re: Comcast residential DNS contact Grant Ridder (Dec 03)
- Re: Comcast residential DNS contact Grant Ridder (Dec 03)
- Re: Comcast residential DNS contact Doug Barton (Dec 03)
- Re: Comcast residential DNS contact Grant Ridder (Dec 03)
- Re: Comcast residential DNS contact Mark Andrews (Dec 03)
- Re: Comcast residential DNS contact Grant Ridder (Dec 03)
- Re: Comcast residential DNS contact Niels Bakker (Dec 03)
- Re: Comcast residential DNS contact Andrew Sullivan (Dec 03)
- Re: Comcast residential DNS contact Christopher Morrow (Dec 03)
- Re: Comcast residential DNS contact Scott Helms (Dec 03)