Help about DNS documentation

Fred Morris m3047 at m3047.net
Fri Nov 3 17:03:56 UTC 2023 

Hello. Your interpretation of what is occurring may be interfering with 
your understanding of it.

On Fri, 3 Nov 2023, Amaury Van Pevenaeyge wrote:
>
> [...] As part of my Master's thesis, I have to implement a DNS 
> amplification scenario within a Cyber Range. However, before achieving 
> this final goal, I first need to make amplification rate measurements 
> within a virtual machine system. I therefore have a few questions about 
> the DNS protocol and DNS servers.
>
>  *   Why do some DNS servers respond via TCP to an ANY query made under
>    UDP? I have read in RFC8482 that modern DNS servers try to limit
>    responses to ANY queries in order to limit the impact of their use in
>    DNS amplification attack but I would like to learn more about the
>    security measures/best practices currently in place for this type of
>    query and for big TXT responses. Does anyone have any sources or
>    other RFCs that might be useful?

It is impossible for a DNS server to respond via TCP to a UDP query at a 
networking level. In general there are two kinds of amplification, number 
of packets (velocity) and size of packets (volume).

It seems you understand that it is only possible to present a source 
address "on behalf of another" with UDP. This is incorrect. While TCP is a 
mitigation for blind trust in the source address of a packet, TCP SYN 
itself results in amplification (velocity) in the form of SYN/ACKs in the 
default tuning of most network stacks.

When a DNS response via UDP is unable to be accommodated within the size 
(volume) constraints dictated by path MTU two things can happen: 1) the 
UDP response can be fragmented, resulting in multiple packets to be 
reassembled; or 2) the server can indicate to the client to retry over TCP 
(TC=1).

TC=1 is also used as an at least partial mitigation for (spoofed) 
amplification traffic, as seen with response rate limiting.

The typical resolver doesn't retry over TCP at all if it doesn't 
receive a (UDP) response with TC=1, for instance if it doesn't receive any 
response at all.

So you have knobs in the zone data, the server, the networking stack 
and all of intermediating routers to twiddle. You can throw "buffer bloat" 
in there too.


It's interesting that Dig automagically tries TCP first with ANY queries, 
since that is not the default behavior with e.g. A queries.

--

Fred Morris, internet plumber

More information about the bind-users mailing list