Millions of './ANY/IN' queries denied

Thu Dec 16 13:28:34 UTC 2021


Am 16.12.21 um 14:22 schrieb Andrew P.:
> Sorry about forgetting to post the list. I hit Reply instead of Reply All. Annoying inconsistent list servers....

blame your mail-client for not support "reply-list" buttons and 
"reply-all" is breaking this for me  :-)

> You don't understand what kind of blacklist I want; I want to blacklist the domain name being asked for, so I don't answer for it. I'm not looking to blacklist forged IP addresses of requestors (since we all know criminals don't use their own identities; they use the identities of innocent bystanders).
> 
> Again, why should _my_ nameserver_ respond to a query for "./ANY/IN"? I am not a rootserver, and never will be.


AGAIN: you don't gain anything by not responding on a UDP protocol 
because the client can't distinct no response and packet loss

so you *increase* the load by retries on the client

don't get me wrong but you need to understand the implications of what 
you are doing - for DOS attacks "Response Rate Limiting" was invented 
and for non-DOS requests there isn't any valid reason to take action

> ________________________________________
> From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Reindl Harald <h.reindl at thelounge.net>
> Sent: Thursday, December 16, 2021 8:14 AM
> To: bind-users at lists.isc.org
> Subject: Re: Millions of './ANY/IN' queries denied
> 
> 
> 
> Am 16.12.21 um 14:04 schrieb Andrew P.:
>> So you're claiming that legitimate resolvers would still be pointing at the wrong IP address for a public DNS server after over 16 years?
> 
> besides that i don't know why you are answering off-list nowhere did i
> say anything about 16 years
> 
> but it can take time
> 
> just because some IP is asking for a domain you don't host is for sure
> not a justification for automated blacklisting - that will happen
> regulary after domain-transfers for some time
> 
>> And asking repeatedly and rapidly for the same illegal root domain name in synchronized bursts of 10 queries supposedly from 10 different IP addresses?
> 
> that's what "Response Rate Limiting" is for
> 
>> I say that because I have held the particular static IPv4 address that my nameserver is running on for that long, and I have never run a root nameserver of any sort, or hosted domains for anyone but myself.
> 
> fine, that's *your* case - we host 800 domains and all the time some get
> transferred to us and some get away
> 
>> I agree with the concept of a blacklist
> 
> i don't because the IP is in most cases FORGED
> 
>> how do I set up one on my copy of bind so I can refuse to answer those obvious DNS DDoS attacks? While still answering legitimate requests for the domains I do hosts, that is.
> 
> "Response Rate Limiting"
> 
> again: the IP you mostly see is FORGED and the victim not the attacker
> and all you do is blacklisting the innocent victim which never did
> anything bad
> 
> with automated blacklisting you expose yourself to a simple DOS attack -
> when i forge 8.8.8.8 and 8.8.4.4 and you do automated blacklisting i
> take your domain offline for anybody on the planet using the google
> resolvers
> 
> and after 8.8.8.8 and 8.8.4.4 i feed you with a list of all known ISP
> resolvers for endusers - game over, you blacklisted the world
> 
>> ________________________________________
>> From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Reindl Harald <h.reindl at thelounge.net>
>> Sent: Wednesday, December 15, 2021 8:44 AM
>> To: bind-users at lists.isc.org
>> Subject: Re: Millions of './ANY/IN' queries denied
>>
>>
>>
>> Am 15.12.21 um 14:33 schrieb Andrew P.:
>>> So why isn't there a way to tell BIND not to respond to queries for which it clearly is not authoritative (such as these attack vectors)? Since no legitimate resolver would be asking a non-authoritative server for information, why should his (or my) public BIND server respond to these even with an error message?
>>
>> because in case of UDP it would make things much worser
>>
>> how do the client smell that you didn't respond by purpose and distinct
>> it from packet loss leading to retries?
>>
>> ------------------
>>
>> "Since no legitimate resolver would be asking a non authoritative server
>> for information" isn't true at all
>>
>> years ago we moved a server to a different location and all sorts of ISP
>> resolvers did respond with old IPs months later, the dumbest one even
>> played lottery responding 50% old and 50% new IP
>>
>> i found that out by random complaints because one domain had 60 count
>> subdomains and started to query all open rsolvers i was able to find
>> with script's - a tragedy
>>
>> that machine was sadly the primary NS for 800 domains and over the
>> months the old ip could have been ru-used for a new customer running a
>> nameserver for completly different domains
>>
>> ------------------
>>
>> long story short: no sane service should supress replies completly
>> unless a explicit blacklist saying so is involved
>>
>>> ________________________________________
>>> From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Ondřej Surý <ondrej at isc.org>
>>> Sent: Wednesday, December 15, 2021 7:18 AM
>>> To: Danilo Godec
>>> Cc: bind-users at lists.isc.org
>>> Subject: Re: Millions of './ANY/IN' queries denied
>>>
>>>> Would I be doing a bad thing by using fail2ban to block these IPs?
>>>
>>> That’s the question that only you can answer.  The IP addresses are
>>> not attacker’s but victim’s and you would be punishing those networks
>>> by blocking access from them to your network.
>>>
>>> Do you absolutely know that these IP addresses doesn’t need access
>>> to your DNS?  If yes, then go ahead.