Tuomo Soini
2020-May-07 12:20 UTC
[nsd-users] Unexpected responses to ANY queries over TCP
On Thu, 7 May 2020 12:13:24 +0200 Anand Buddhdev via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote:> NSD with default settings, returns a partial response to ANY queries, > whether the queries are made over UDP or TCP. I did not expect this.> In contrast, other servers like BIND and Knot>=2.9.4 make a > distinction between ANY queries received over UDP versus TCP. Over > UDP, they return a partial response. Over TCP, they do return all the > records.I just explained to knot developers yesterday why it's bad idea to respond any queries on tcp on authoritative server. Let's try to do it again now here. As long as authoritative server answers to any queries with tcp it is possible to do dns amplification attack like described here: https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/ So dns server responding to any query (especially applicable when dnssec is used) can be used as a tool for dns amplification attack. It doesn't matter if query is udp or tcp, resolvers can query with tcp at any time. And still respond to victims with udp. So It's important part of mitigation to do it at all levels. Only way to prevent this is to implment rfc8482 for both udp and tcp on authoritative server. -- Tuomo Soini <tis at foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/>
Anand Buddhdev
2020-May-07 12:48 UTC
[nsd-users] Unexpected responses to ANY queries over TCP
On 07/05/2020 14:20, Tuomo Soini wrote: Hello Tuomo,> I just explained to knot developers yesterday why it's bad idea to > respond any queries on tcp on authoritative server. > > Let's try to do it again now here. > > As long as authoritative server answers to any queries with tcp it is > possible to do dns amplification attack like described here: > > https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/This Cloudflare article is all about amplification over UDP, and it is something that we all understand. The article makes NO mention of amplification over TCP (because it's not possible), so I don't know what you are talking about.> So dns server responding to any query (especially applicable when > dnssec is used) can be used as a tool for dns amplification attack. It > doesn't matter if query is udp or tcp, resolvers can query with tcp atYou are wrong. DNS amplification attacks cannot be done over TCP. And if perchance you're referring to open resolvers that are made to do ANY queries... well, minimising responses to ANY over UDP solves that quite neatly. They won't retry over TCP.> any time. And still respond to victims with udp. So It's important part > of mitigation to do it at all levels. > > Only way to prevent this is to implment rfc8482 for both udp and tcp on > authoritative server.RFC 8482 section 4.4 specifically discusses response behaviour depending on transport. Over UDP, it is good to minimise responses. On the other hand, it's quite okay to provide a complete answer over TCP. Regards, Anand