DNS security, amplification attacks and recursion
Michael De Roover
isc at nixmagic.com
Tue Jul 7 18:06:29 UTC 2020
On 7/7/20 4:06 PM, Tony Finch wrote:
> An auth-only server can also be used for amplification attacks that use
> its authoritative zones - these attacks don't have to use recursion.
> There are a few ways to mitigate auth-only amplification attacks.
>
> Response rate limiting is very effective. Start off by putting the
> following in your options{} section, and look in the BIND ARM for other
> directives you can put in the rate-limit{} section.
>
> rate-limit {
> responses-per-second 10;
> };
That's a really useful option to have, I didn't know about this yet. It
seems like that could take care of the brunt of amplification attacks
already. Definitely going to add this in, thanks!
> Set a maximum UDP packet size, to suppress fragmented packets. The DNS
> flag day 2020 campaign will make this a standard setting. For a long time
> I have used:
>
> max-udp-size 1420;
>
> https://dnsflagday.net/2020/
>
> A downside of small UDP responses is more truncated packets and more
> queries over TCP, but there are still more ways to reduce response size
> which also reduce truncation.
Interesting, I wasn't aware of this campaign. I don't know if I'm
knowledgeable enough on UDP to be able to make educated decisions on
this myself but I look forward to its eventual release.
> Reduce the size of responses to ANY queries, which are a favourite tool of
> amplification attacks. There's basically no downside to this one, in my
> opinion, but I'm biased because I implemented it.
>
> minimal-any yes;
I've heard of these ANY queries being preferred for amplification
attacks as well, since the responses are often so large... I don't think
that there would be any downsides to this either, in fact I've never
actually seen a legitimate application use it... Probably best to lock
down indeed.
> You can also reduce the size of other answers. In theory this option might
> force resolvers to make more queries to get records that by default would
> appear in the additional section, but I think in practice resolvers make
> these queries anyway because of RFC 2181 trustworthiness logic, and
> because applications (such as SMTP servers) find it easier to query
> directly than use additional records. So on my auth servers I set:
>
> minimal-responses yes;
Hmm, for the authoritative name servers this might be a good idea yeah..
Those are authoritative only (i.e. `recursion no`). So for clients
querying those, the NS records served in the additional section at least
should already be known to the client anyway... I mean that's why
they're there to begin with, so they must already know that information
from the DNS servers higher up the chain. And another query if needed,
saves traffic either way I suppose.
Thanks a lot for the detailed reply, I really appreciate it :)
--
Met vriendelijke groet / Best regards,
Michael De Roover
More information about the bind-users
mailing list