Preventing a particular type of nameserver abuse

Wed Apr 14 07:48:48 UTC 2021

On 14/04/2021 00:29, @lbutlr wrote:

>> A legitimate client, following a normal chain of referrals, has *no*
>> reason to query a server for zones it is not authoritative for.
> 
> Well, that's not really true. A mobile user might have their device
> configured to always check their corporate DNS server first, for
> example, then fall back if that fails.

I'm not talking of DNS *resolvers* here. I'm talking of authoritative
servers. If my authoritative server is authoritative for zones A, B and
C, then I should only get queries for those zones from legitimate
resolvers and clients. Queries for any other zones should *not* be
coming to my server. I shouldn't even be obliged to answer with REFUSED.
I should just be able to ignore those queries completely as junk.

> Refusing makes everything faster, ignoring breaks things and makes things slower.
> 
> When a DNS host refuses a query, it will not be queried again, wen
> it times out, is is still in the rotation.

This is a misbelief. When a resolver fails to get an answer from an
authoritative server (whether explicitly with a REFUSED response, or
just a timeout), it may lower the preference for that name server, but
will eventually retry, in case that server is able to answer for that
zone again.

>> Most of the time, such a query would only arrive at a name server from a naughty
>> client.
> 
> Unlikely as there is no benefit to the "naughty" client. This is not
> a
> amplification attack, the refusal is a short packet, meaning the query
> from the client is probably larger than the response. Very inefficient
> for naughty clients.

Amplification isn't necessary for causing a DDoS towards an innocent
client. Even a high-enough packet rate (with small packets), can
overwhelm the upstream router of the client, or use up a significant
portion of the bandwidth. It can also cause problems for the client
whose networking stack has to deal with the packets. Whether an unwanted
packet is of 100 bytes or 1000 bytes, the network stack has to deal with
it somehow.

>> And then, replying with any response, even REFUSED, is
>> satisfying this client's naughtiness.
> 
> How?

A spoofer gets to generate responses, however, small, towards an
innocent client.

>> I think it's quite okay for an authoritative name server to simply DROP
>> UDP queries for zones
> 
> It's not.

If you try to SSH to a server that you're not supposed to connect to,
and it drops your packets, you won't complain right? So why are you so
bothered about a DNS server that drops queries it's not supposed to be
receiving? The DNS resolution protocol is clear. A resolver is supposed
to follow a chain of referrals, and not query any random server on the
Internet. So a legitimate resolver has no business querying random
authoritative servers for zones they're not supposed to serve.

>> that it's not authoritative for. It's better to
>> ignore naughty clients, and give them the cold shoulder, and not
>> participate in reflection attacks using REFUSED responses.
> 
> How do you imagine this is a reflection attack? It is far too small
> to be an effective attack for anything.

This is a short-sighted opinion. If just one authoritative server sends
out REFUSED responses towards an innocent, it won't matter. But if 1000
authoritative servers all send out REFUSED responses towards an innocent
IP address, their combined volume and packet rate *is* significant.

Regards,
Anand