Anand Buddhdev
2020-May-07 10:13 UTC
[nsd-users] Unexpected responses to ANY queries over TCP
Hi folks, This question is directed mainly at the NSD developers, but I'm posting it here for knowledge sharing. NSD with default settings, returns a partial response to ANY queries, whether the queries are made over UDP or TCP. I did not expect this. I went through all the release notes, and found this: 4.1.27 ===============FEATURES: - Deny ANY with only one RR in response, by default. Patch from Daisuke Higashi. The deny-any statement in nsd.conf sets ANY queries over UDP to be further moved to TCP as well. Also no additional section processing for type ANY, reducing the response size. My expectation is that it's fine to return a partial response over UDP. But, over TCP, I should get all the records at the queried qname. I don't understand why NSD chooses to return a partial response over TCP. What is the reasoning behind this? In contrast, other servers like BIND and Knot>=2.9.4 make a distinction between ANY queries received over UDP versus TCP. Over UDP, they return a partial response. Over TCP, they do return all the records. Regards, Anand Buddhdev RIPE NCC
Tuomo Soini
2020-May-07 12:20 UTC
[nsd-users] Unexpected responses to ANY queries over TCP
On Thu, 7 May 2020 12:13:24 +0200 Anand Buddhdev via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote:> NSD with default settings, returns a partial response to ANY queries, > whether the queries are made over UDP or TCP. I did not expect this.> In contrast, other servers like BIND and Knot>=2.9.4 make a > distinction between ANY queries received over UDP versus TCP. Over > UDP, they return a partial response. Over TCP, they do return all the > records.I just explained to knot developers yesterday why it's bad idea to respond any queries on tcp on authoritative server. Let's try to do it again now here. As long as authoritative server answers to any queries with tcp it is possible to do dns amplification attack like described here: https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/ So dns server responding to any query (especially applicable when dnssec is used) can be used as a tool for dns amplification attack. It doesn't matter if query is udp or tcp, resolvers can query with tcp at any time. And still respond to victims with udp. So It's important part of mitigation to do it at all levels. Only way to prevent this is to implment rfc8482 for both udp and tcp on authoritative server. -- Tuomo Soini <tis at foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/>