Best practice on TCP replies for ANY queries

Jared Mauch jared at puck.nether.net
Wed Dec 11 19:26:22 UTC 2013


dns-operations list is likely best suited for this question, but...

If using BIND 9.9.4 you can set the system to use TCP for repeated queries to prevent spoofed ones from being replied to (ie: use yourself as an amplifier).

There's lists of domains published that are used in abuse, eg:

https://twitter.com/DnsSmurf
http://dnsamplificationattacks.blogspot.nl/
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

You should restrict your DNS server (as much as possible) to only respond to your customer base.

If you are using microsoft dns, STOP.  It has no way to restrict the clients it replies to queries for.  Set up real software to forward to it which does the filtering and scoping for your space.

NSD and others also have the ability to configure rate-limiting, knowing what software you are using is an important key here for proper recommendations and guide pointers.

Good luck,

- jared

On Dec 11, 2013, at 2:17 PM, Arturo Servin <arturo.servin at gmail.com> wrote:

> I think is better idea to rate-limit your responses rather than
> limiting the size of them.
> 
> AFAIK, bind has a way to do it.
> 
> .as
> 
> 
> On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia <me at anuragbhatia.com> wrote:
>> Hi ML
>> 
>> 
>> 
>> Yeah I can understand. Even DNSSEC will have issues with it which makes me
>> worry about rule even today.
>> 
>> 
>> On Wed, Dec 11, 2013 at 11:49 PM, ML <ml at kenweb.org> wrote:
>> 
>>> On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
>>>> 
>>>> I am sure I am not first person experiencing this issue. Curious to hear
>>>> how you are managing it. Also under what circumstances I can get a
>>>> legitimate TCP query on port 53 whose reply exceeds a basic limit of less
>>>> then 1000 bytes?
>>>> 
>>>> 
>>>> 
>>> 
>>> I'm not a DNS guru so I don't have an exact answer.  However my gut
>>> feeling is that putting in a place a rule to drop or rate limit DNS
>>> replies greater than X bytes is probably going to come back to bite you
>>> in the future.
>>> 
>>> No one can predict the future of what will constitute legitimate DNS
>>> traffic.
>>> 
>>> 
>> 
>> 
>> --
>> 
>> 
>> Anurag Bhatia
>> anuragbhatia.com
>> 
>> Linkedin <http://in.linkedin.com/in/anuragbhatia21> |
>> Twitter<https://twitter.com/anurag_bhatia>
>> Skype: anuragbhatia.com




More information about the NANOG mailing list