Tuomo Soini
2020-May-07 20:11 UTC
[nsd-users] Unexpected responses to ANY queries over TCP
On Thu, 7 May 2020 14:48:25 +0200 Anand Buddhdev <anandb at ripe.net> wrote:> You are wrong. DNS amplification attacks cannot be done over TCP.You missed the point. If authoritative answers over tcp with any data, resolver dns can answer to victim with udp. So at authoritative it is important not to answer to any. -- Tuomo Soini <tis at foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/>
Anand Buddhdev
2020-May-07 20:26 UTC
[nsd-users] Unexpected responses to ANY queries over TCP
On 07/05/2020 22:11, Tuomo Soini wrote: Hi Tuomo,> You missed the point. > > If authoritative answers over tcp with any data, resolver dns can > answer to victim with udp.No, it seems you haven't understood how a resolver works. Suppose a signed zone's apex has SOA, A, AAAA, TXT, DNSKEY, MX and NS records, along with RRSIG records for all these. Now suppose a resolver queries for these records individually, one at a time, and caches them all. Finally, suppose a client queries this resolver with an ANY for this zone's apex. The resolver will return *all* those cached records to the client. Whether a resolver gets all these records from the authoritative server with a single ANY query, or by querying for the records individually, its response to a downstream client's ANY query will be the same. I can tell you with certainty that at least BIND behaves this way, because I have experimented and observed. Before you reply to this thread to tell me I'm wrong, please set up a resolver or two, and test this yourself to understand it :) Regards, Anand