Paul,
how about much simpler configuration option to force all
any queries to be reissued over TCP,
restrict-any-udp "yes/no";
And have Bind reply with TC=1 and empty answer section on ANY UDP queries.
This is simple, no state needed, no firewall rules, and gets rid of
spoofed addresses.
Olafur
On 10/06/2012 10:18, Paul Vixie wrote:
On 2012-06-10 10:29 AM, sth...@nethelp.no wrote:
Clue appreciated, thanks!
One word: qmail. Google "qmail dns any query".
thinking about or acting against ANY is bad infosec economics. any
investment along those lines is wasted, since ANY is merely the low
hanging fruit, and an attacker need only switch over to TXT or RRSIG or
NSEC to get a similar amplification effect from an authoritative name
server, if ANY were widely nonresponsive.
good infosec economics means the bad guy has a larger investment to make
in order to reach the next round than you had to make to exit the last
round.
to that end, vernon schryver and i have been exploring rate limiting in
BIND 9. there's a patch available, which i've so far offered only to
anyone whose server is currently getting abused. what i'm worried about
is that our profile for goodput-vs-badput is wrong headed or too course
grained. so far so good.
config {
// ...
rate-limit {
responses-per-second 5;
window 5;
};
};
paul
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
