Anand Buddhdev
2020-May-07 12:48 UTC
[nsd-users] Unexpected responses to ANY queries over TCP
On 07/05/2020 14:20, Tuomo Soini wrote: Hello Tuomo,> I just explained to knot developers yesterday why it's bad idea to > respond any queries on tcp on authoritative server. > > Let's try to do it again now here. > > As long as authoritative server answers to any queries with tcp it is > possible to do dns amplification attack like described here: > > https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/This Cloudflare article is all about amplification over UDP, and it is something that we all understand. The article makes NO mention of amplification over TCP (because it's not possible), so I don't know what you are talking about.> So dns server responding to any query (especially applicable when > dnssec is used) can be used as a tool for dns amplification attack. It > doesn't matter if query is udp or tcp, resolvers can query with tcp atYou are wrong. DNS amplification attacks cannot be done over TCP. And if perchance you're referring to open resolvers that are made to do ANY queries... well, minimising responses to ANY over UDP solves that quite neatly. They won't retry over TCP.> any time. And still respond to victims with udp. So It's important part > of mitigation to do it at all levels. > > Only way to prevent this is to implment rfc8482 for both udp and tcp on > authoritative server.RFC 8482 section 4.4 specifically discusses response behaviour depending on transport. Over UDP, it is good to minimise responses. On the other hand, it's quite okay to provide a complete answer over TCP. Regards, Anand
Tuomo Soini
2020-May-07 20:11 UTC
[nsd-users] Unexpected responses to ANY queries over TCP
On Thu, 7 May 2020 14:48:25 +0200 Anand Buddhdev <anandb at ripe.net> wrote:> You are wrong. DNS amplification attacks cannot be done over TCP.You missed the point. If authoritative answers over tcp with any data, resolver dns can answer to victim with udp. So at authoritative it is important not to answer to any. -- Tuomo Soini <tis at foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/>