On Thu, 7 May 2020 12:13:24 +0200 Anand Buddhdev via nsd-users <[email protected]> wrote:
> NSD with default settings, returns a partial response to ANY queries, > whether the queries are made over UDP or TCP. I did not expect this. > In contrast, other servers like BIND and Knot>=2.9.4 make a > distinction between ANY queries received over UDP versus TCP. Over > UDP, they return a partial response. Over TCP, they do return all the > records. I just explained to knot developers yesterday why it's bad idea to respond any queries on tcp on authoritative server. Let's try to do it again now here. As long as authoritative server answers to any queries with tcp it is possible to do dns amplification attack like described here: https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/ So dns server responding to any query (especially applicable when dnssec is used) can be used as a tool for dns amplification attack. It doesn't matter if query is udp or tcp, resolvers can query with tcp at any time. And still respond to victims with udp. So It's important part of mitigation to do it at all levels. Only way to prevent this is to implment rfc8482 for both udp and tcp on authoritative server. -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ nsd-users mailing list [email protected] https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
