Open Resolver Problems

Mon Apr 1 18:33:57 UTC 2013

On 2013-04-01, at 14:19, Jay Ashworth <jra at baylink.com> wrote:

>> From: "Roland Dobbins" <rdobbins at arbor.net>
> 
>> On Apr 1, 2013, at 11:18 PM, Patrick W. Gilmore wrote:
>>> Of course, since users shouldn't be using off-net name servers
>>> anyway, this isn't really a problem! :)
>> 
>> ;>
>> 
>> It's easy enough to construct ACLs to restrict the broadband consumer
>> access networks from doing so. Additional egress filtering would catch
>> any reflected attacks, per your previous comments.
> 
> So, how would Patrick's caveat affect me, whose recursive resolver *is 
> on my Linux laptop*?  Would not that recursor be making queries he 
> advocates blocking?

The badness that Patrick is talking about blocking are DNS responses being sent from consumer devices to the Internet, answering DNS queries being sent from the Internet towards consumer devices. (I think. This thread is sufficiently circular that I feel a bit dizzy, and could be mistaken.) The DNS traffic outbound from your laptop will be DNS queries (not responses) and the inbound traffic will be DNS responses (not queries). The traffic profiles are different.

The case where infected consumer devices originate source-spoofed queries towards open resolvers, feeding a query stream to an amplifier for delivery to a victim, is mitigated by preventing those consumer devices from spoofing their source address, so BCP38.

The case where infected consumer devices originate non-source-spoofed queries towards DNS servers in order to overwhelm the servers themselves with perfectly legitimate-looking queries is a harder problem to solve at the edge, and is most easily mitigated for DNS server operators by the approach "ensure great headroom".

Joe