Millions of './ANY/IN' queries denied

Reindl Harald h.reindl at thelounge.net
Thu Dec 16 13:14:40 UTC 2021 


Am 16.12.21 um 14:04 schrieb Andrew P.:
> So you're claiming that legitimate resolvers would still be pointing at the wrong IP address for a public DNS server after over 16 years? 

besides that i don't know why you are answering off-list nowhere did i 
say anything about 16 years

but it can take time

just because some IP is asking for a domain you don't host is for sure 
not a justification for automated blacklisting - that will happen 
regulary after domain-transfers for some time

> And asking repeatedly and rapidly for the same illegal root domain name in synchronized bursts of 10 queries supposedly from 10 different IP addresses? 

that's what "Response Rate Limiting" is for

> I say that because I have held the particular static IPv4 address that my nameserver is running on for that long, and I have never run a root nameserver of any sort, or hosted domains for anyone but myself.

fine, that's *your* case - we host 800 domains and all the time some get 
transferred to us and some get away

> I agree with the concept of a blacklist

i don't because the IP is in most cases FORGED

> how do I set up one on my copy of bind so I can refuse to answer those obvious DNS DDoS attacks? While still answering legitimate requests for the domains I do hosts, that is.

"Response Rate Limiting"

again: the IP you mostly see is FORGED and the victim not the attacker 
and all you do is blacklisting the innocent victim which never did 
anything bad

with automated blacklisting you expose yourself to a simple DOS attack - 
when i forge 8.8.8.8 and 8.8.4.4 and you do automated blacklisting i 
take your domain offline for anybody on the planet using the google 
resolvers

and after 8.8.8.8 and 8.8.4.4 i feed you with a list of all known ISP 
resolvers for endusers - game over, you blacklisted the world

> ________________________________________
> From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Reindl Harald <h.reindl at thelounge.net>
> Sent: Wednesday, December 15, 2021 8:44 AM
> To: bind-users at lists.isc.org
> Subject: Re: Millions of './ANY/IN' queries denied
> 
> 
> 
> Am 15.12.21 um 14:33 schrieb Andrew P.:
>> So why isn't there a way to tell BIND not to respond to queries for which it clearly is not authoritative (such as these attack vectors)? Since no legitimate resolver would be asking a non-authoritative server for information, why should his (or my) public BIND server respond to these even with an error message?
> 
> because in case of UDP it would make things much worser
> 
> how do the client smell that you didn't respond by purpose and distinct
> it from packet loss leading to retries?
> 
> ------------------
> 
> "Since no legitimate resolver would be asking a non authoritative server
> for information" isn't true at all
> 
> years ago we moved a server to a different location and all sorts of ISP
> resolvers did respond with old IPs months later, the dumbest one even
> played lottery responding 50% old and 50% new IP
> 
> i found that out by random complaints because one domain had 60 count
> subdomains and started to query all open rsolvers i was able to find
> with script's - a tragedy
> 
> that machine was sadly the primary NS for 800 domains and over the
> months the old ip could have been ru-used for a new customer running a
> nameserver for completly different domains
> 
> ------------------
> 
> long story short: no sane service should supress replies completly
> unless a explicit blacklist saying so is involved
> 
>> ________________________________________
>> From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Ondřej Surý <ondrej at isc.org>
>> Sent: Wednesday, December 15, 2021 7:18 AM
>> To: Danilo Godec
>> Cc: bind-users at lists.isc.org
>> Subject: Re: Millions of './ANY/IN' queries denied
>>
>>> Would I be doing a bad thing by using fail2ban to block these IPs?
>>
>> That’s the question that only you can answer.  The IP addresses are
>> not attacker’s but victim’s and you would be punishing those networks
>> by blocking access from them to your network.
>>
>> Do you absolutely know that these IP addresses doesn’t need access
>> to your DNS?  If yes, then go ahead.

More information about the bind-users mailing list