BIND ignores queries from specific privileged source ports

Mark Andrews marka at isc.org
Mon Jun 10 22:56:47 UTC 2019 

 

> On 11 Jun 2019, at 8:01 am, Grant Taylor via bind-users <bind-users at lists.isc.org> wrote:
> 
> On 6/10/19 3:29 PM, Mark Andrews wrote:
>> The primary issue here is that there is still source address spoofing happening so you have to consider what if this packet was spoofed. DNS uses UDP and is used as a reflector. The small services ports listed generate reply traffic.
>> Additionally kpasswd and a DNS server can generate a self sustaining traffic loop if it is not suppressed.
> 
> I'm guessing that the reply / kpasswd traffic is not a valid DNS query.
> 
> As such, I would think that it's possible to detect this and respond accordingly.  If the incoming packet is not a valid DNS query and it's from one of the aforementioned ports, ignore it / drop the outbound error message.
> 
> If the incoming packet is a valid DNS query, then go ahead and reply.
> 
>> There are ~63500 ephemeral ports
> 
> Sadly, many things don't use that wide of an Ephemeral Port range by default.
> 
> Per IANA, the 65536 possible port are divided into three ranges:
> 
>    0 to  1023 for System
> 1024 to 49151 for User Ports
> 49152 to 65535 for Dynamic and / or Private Ports a.k.a. Ephemeral Ports
> 
> So, strictly adhering to IANA recommendations, there are only 16,384 Ephemeral Ports (14 bits).
> 
> This means that DNS administrators either use their OS default, adhere to IANA's recommendation, or use something of their own choosing.
> 
> I guess "their own choosing" could be 1024-65535.  That amounts to 64512 possible ports / ~15.98 bits.  Conversely, 65536 ports amounts to 16 bits.
> 
> See my other replies for my questions about why BIND can't be more selective in the replies it processes.

Named is already selective about what it doesn’t reply to.

* Packets < 12 octets (DNS header size) don’t get a reply.
* QR=1 doesn’t get a reply.
* Source port 0 doesn’t get a reply (source port 0 is “discard me”).
* Kpasswd doesn’t get FORMERR.
* echo, chargen, time and daygen don’t get a reply.

The last 2 sets have been used in reflection attacks in the past.
Traffic loops don’t spontaneously come into existence.  There are
also very few UDP services.

As for the replies named process.  There has to be a outstanding
request from the source port to the destination port.  QR must be
1 for it to be processed.  The qid must also be outstanding for
that source and destination port tuple.  The packet must also be
well formed.  The question section must also match the query for
none error responses.

Mark

> -- 
> Grant. . . .
> unix || die
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list