back to article Running a DNSSec responder? Make sure it doesn't help the black hats

Sysadmins are making mistakes configuring and managing DNSSec, and it's leaving systems that should be secure open to exploitation in DNS reflection attacks. That's the conclusion of Neustar, in a study released here and which found that of more than 1,300 DNSSec-protected domains tested 80 per cent could be used in an attack …

  1. Chronos

    Rate limiting

    It was a bit of a mistake to default DNS to UDP which can be spoofed trivially by anyone with raw socket access on an OS but we're stuck with it. Turning off ANY is RFC ignorant, therefore rate limiting would seem to be the answer - per host, preferably, allowing a couple of queries through then logarithmically adding treacle. Should stop any amplification shenanigans well enough, although it does potentially open another DoS vector via spoofed UDP.

    1. Anonymous Coward
      Anonymous Coward

      Re: Rate limiting

      "Turning off ANY is RFC ignorant"

      https://datatracker.ietf.org/doc/draft-ietf-dnsop-refuse-any/?include_text=1

      1. Chronos

        Re: Rate limiting

        @gerdesj: Thanks for that. I retract that statement. I'm obviously not as RFC-clueful as I should be.

  2. Alan Brown Silver badge

    security 101

    Only allow authorised users to make queries.

    In this case: Only allow recursive queries from authorised networks _and_ put in rate limiting on queries.

    For the former case, I slapped access restrictions on my DNS severs about 20 years ago after noticing an inordinate number of recursive requests from a range of IPs in an ISP in another country.

    It turned out they were giving their customers my DNS servers as their resolvers.

    This got posted to bugtraq at the time.

    If you want to be even more evil, you can allow some requests but give deliberately bogus answers - quite easy with split-horizons - just don't forget to rate-limit the responses so you don't participate in a DDoS

  3. Alan Brown Silver badge

    DNS uses UDP

    But DNSSEC replies are _always_ TCP.

    1. jeeps

      Re: DNS uses UDP

      Not true, where possible DNS will attempt to respond using UDP, and it certainly wouldn't send a TCP response to a UDP query.

      DNSSEC requires the use of EDNS0 which can expand the UDP packet size to 4096 bytes, and will negotiate the maximum packet size with the client (firewalls usually choke on these large packets so they have to work out what is the largest size that can be used). Only if the full response is too large to fit in the negotiated size will it set the TC flag indicating to the client to requery using TCP if they want the full response.

      1. hmv

        Re: DNS uses UDP

        One minor correction. Only broken firewalls that haven't been updated since August 1999 will break EDNS0. If you've got such a firewall, go and shout at your firewall vendor for selling a piece of crap not fit for purpose.

        1. jeeps

          Re: DNS uses UDP

          Not necessarily, a number of vendors default max UDP size is 1500, you have to explicitly bump it up to 4096 to take full advantage of EDNS0.

  4. SImon Hobson Silver badge

    Force TCP all the time ?

    Just sort of throwing ideas out there ...

    What about setting the server up to allow only very small responses before setting the TCP flag ?

    Yes it'll increase load and packet count for legitimate clients - but it would stop amplification attacks, or at least reduce them to simple reflection attacks in volume.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like