BIND ignores queries from specific privileged source ports

Grant Taylor gtaylor at tnetconsulting.net
Tue Jun 11 00:04:56 UTC 2019 

On 6/10/19 4:56 PM, Mark Andrews wrote:
> Named is already selective about what it doesn’t reply to.
> 
> * Packets < 12 octets (DNS header size) don’t get a reply.
> * QR=1 doesn’t get a reply.
> * Source port 0 doesn’t get a reply (source port 0 is “discard me”).
> * Kpasswd doesn’t get FORMERR.
> * echo, chargen, time and daygen don’t get a reply.
> 
> The last 2 sets have been used in reflection attacks in the past.

Would those reflection attacks work today with BIND's current filtering 
(save for filtering source port)?

I don't understand how an incoming packet from chargen, time, or daygen 
could be interpreted as valid DNS queriy.  I guess a specially crafted 
packet from echo /might/ conceptually be able to be interpreted as a DNS 
query.  I would be shocked if anything from kpasswd could be interpreted 
as a DNS query.

I can see how any of these might elicit format error reply from BIND. 
But I feel like filtering a format error reply based on the handful of 
ports would allow legitimate queries from said ports.

> Traffic loops don’t spontaneously come into existence.

ACK

I was more thinking more along the lines of:

1)  Attacker spoofs the source of something that will elicit a format error.
2)  BIND receives the packet and sends a format error to echo.
3)  Echo receives the format error and echo it back BIND.
4)  GOTO 2

> There are also very few UDP services.
> 
> As for the replies named process.  There has to be a outstanding
> request from the source port to the destination port.  QR must be
> 1 for it to be processed.  The qid must also be outstanding for
> that source and destination port tuple.  The packet must also be
> well formed.  The question section must also match the query for
> none error responses.

I don't see how BIND would even get into a situation where it might have 
something to send without all of that being true.

I would also think that anything that wasn't a legitimate DNS request 
would have never made it to the point that there was a reply to 
potentially be sent out.

I'm guessing there is history that I'm completely ignorant of.  I hope 
that a lot of things have changed since then that I'm ignorant of.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190610/27280509/attachment.bin>

More information about the bind-users mailing list