Re: [mailop] DNSxL lookups IPv6 - one /128 per DNS query
On 02/02/2020 18:48, Matthias Leisi via mailop wrote: From one particular IPv6 range, each and every DNS query was sent from a unique IPv6 /128, and every /128 seen was used exactly once. Um, I do this. To guard against cache poisoning attacks. Each nameserver has a /64 to use for outgoing interfaces. I thought it was pretty standard. From years back when there was a whole panic about DNS cache poisons being much easier than everybody thought. I'm surprised you've not seen it before. https://nlnetlabs.nl/documentation/unbound/unbound.conf/ *outgoing-interface:* // Interface to use to connect to the network. This interface is used to send queries to authoritative servers and receive their replies. Can be given multiple times to work on several inter- faces. If none are given the default (all) is used. You can specify the same interfaces in*interface:* and*outgoing-inter-* *face:* lines, the interfaces are then used for both purposes. Outgoing queries are sent via a random outgoing interface to counter spoofing. If an IPv6 netblock is specified instead of an individual IPv6 address, outgoing UDP queries will use a randomised source address taken from the netblock to counter spoofing. Requires the IPv6 netblock to be routed to the host running unbound, and requires OS support for unprivileged non-local binds (currently only supported on Linux). Several netblocks may be specified with multiple*outgoing-interface:* options, but do not specify both an individual IPv6 address and an IPv6 netblock, or the randomisation will be compromised. Consider combining with*pre-* *fer-ip6:* *yes* to increase the likelihood of IPv6 nameservers being selected for queries. On Linux you need these two com- mands to be able to use the freebind socket option to receive traffic for the ip6 netblock: ip -6 addr add mynetblock/64 dev lo && ip -6 route add local mynetblock/64 dev lo ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] DNSxL lookups IPv6 - one /128 per DNS query
On Sun, 2 Feb 2020, Matthias Leisi via mailop wrote: At dnswl.org, we collect (DNS) logs to identify abusers of our service. During last week, the logs increased by a factor of 10 (usually this is pretty stable, going up an down a few percents), so we thought weâd investigate. And we found something new (to us). From one particular IPv6 range, each and every DNS query was sent from a unique IPv6 /128, and every /128 seen was used exactly once. Since we do not correlate source and question of DNS queries received (for privacy reasons), we can not tell what exactly was being asked. We can work around this issue in a number of ways (by blocking them from our DNS servers, excluding them from the log aggregation etc), so no direct harm here. However, if such behaviour becomes more widespread, it may have a number of collateral effects (for DNS caches, in log handling, in reputation management systems etc). Is this something others have seen as well (either on the DNSxL lookup side, or in SMTP connections)? I've not seen this. It is traditional for IPs to allocate a /64 to each end user. I'd suggest either just logging the /64 of each query, or perhaps rate limit logging by /64, so that you still notice oddities like this. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] DNSxL lookups IPv6 - one /128 per DNS query
At dnswl.org, we collect (DNS) logs to identify abusers of our service. During last week, the logs increased by a factor of 10 (usually this is pretty stable, going up an down a few percents), so we thought we’d investigate. And we found something new (to us). From one particular IPv6 range, each and every DNS query was sent from a unique IPv6 /128, and every /128 seen was used exactly once. Since we do not correlate source and question of DNS queries received (for privacy reasons), we can not tell what exactly was being asked. We can work around this issue in a number of ways (by blocking them from our DNS servers, excluding them from the log aggregation etc), so no direct harm here. However, if such behaviour becomes more widespread, it may have a number of collateral effects (for DNS caches, in log handling, in reputation management systems etc). Is this something others have seen as well (either on the DNSxL lookup side, or in SMTP connections)? — Matthias -- Matthias Leisi Katzenrütistrasse 68, 8153 Rümlang, Switzerland Mobile +41 79 377 04 43 matth...@leisi.net Skype matthias.leisi ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop