Re: Best practice on TCP replies for ANY queries

[Jared Mauch]

On Dec 12, 2013, at 3:27 PM, Alain Hebert  wrote:

>The internet will be better without ISP refusing to apply BCP38.
> 
>
> 
>This is a pointless argument since the majority of the industry
> prefer going after the  UDP flood instead of
> curbing the problem at its source once and for all.

I would restate this as "Network Operators" vs "ISPs".

If you operate a network and it allows spoofing internally, or facing your ISP, 
you are also at fault.

- Jared

Re: Best practice on TCP replies for ANY queries

[Alain Hebert]

The internet will be better without ISP refusing to apply BCP38.



This is a pointless argument since the majority of the industry
prefer going after the  UDP flood instead of
curbing the problem at its source once and for all.

-
Alain Hebertaheb...@pubnix.net   
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443

On 12/12/13 11:23, SiNA Rabbani wrote:
> http://www.team-cymru.org/Services/Resolvers/
>
> The Internet will be a better place with less open resolvers around.
>
> --SiNA
> On Dec 12, 2013 5:32 AM, "Tony Finch"  wrote:
>
>> Anurag Bhatia  wrote:
>>> Now I see presence of some (legitimate) DNS forwarders and hence I don't
>>> wish to limit queries.
>> You are going to have to change your mind about this one. Open recursive
>> resolvers are a really bad idea, unless you can afford a lot of time and
>> cleverness to manage the abuse. Get your users to choose a more
>> appropriate name server, and restrict your name server to your local
>> networks.
>>
>> Tony.
>> --
>> f.anthony.n.finchhttp://dotat.at/
>> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at
>> first.
>> Rough, becoming slight or moderate. Showers, rain at first. Moderate or
>> good,
>> occasionally poor at first.
>>
>>
>

Re: Best practice on TCP replies for ANY queries

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Also:

http://openresolverproject.org/


Also, open resolvers are harmful to the Internet, so it would not surprise
me to see organizations to begin blocking any communication with them by
published lists open recursive resolvers.

- - ferg.

On 12/12/2013 8:23 AM, SiNA Rabbani wrote:


> http://www.team-cymru.org/Services/Resolvers/
>
> The Internet will be a better place with less open resolvers around.
>
> --SiNA
> On Dec 12, 2013 5:32 AM, "Tony Finch"  wrote:
>
>> Anurag Bhatia  wrote:
>>>
>>> Now I see presence of some (legitimate) DNS forwarders and hence I
>>> don't wish to limit queries.
>>
>> You are going to have to change your mind about this one. Open recursive
>> resolvers are a really bad idea, unless you can afford a lot of time and
>> cleverness to manage the abuse. Get your users to choose a more
>> appropriate name server, and restrict your name server to your local
>> networks.
>>
>> Tony.
>> --
>> f.anthony.n.finchhttp://dotat.at/
>> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at
>> first.
>> Rough, becoming slight or moderate. Showers, rain at first. Moderate or
>> good,
>> occasionally poor at first.
>>
>>
>
>

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 10.2.0 (Build 2317)
Charset: utf-8

wj8DBQFSqhvyq1pz9mNUZTMRAiXgAKCDaQ1KmlVCjXKffz0bVmHRGpbwxgCfXEk7
tHQx8SXtY/xNFLm2L3Uu8x8=
=tTIW
-END PGP SIGNATURE-


--
Paul Ferguson
PGP Public Key ID: 0x63546533

Re: Best practice on TCP replies for ANY queries

[SiNA Rabbani]

http://www.team-cymru.org/Services/Resolvers/

The Internet will be a better place with less open resolvers around.

--SiNA
On Dec 12, 2013 5:32 AM, "Tony Finch"  wrote:

> Anurag Bhatia  wrote:
> >
> > Now I see presence of some (legitimate) DNS forwarders and hence I don't
> > wish to limit queries.
>
> You are going to have to change your mind about this one. Open recursive
> resolvers are a really bad idea, unless you can afford a lot of time and
> cleverness to manage the abuse. Get your users to choose a more
> appropriate name server, and restrict your name server to your local
> networks.
>
> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/
> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at
> first.
> Rough, becoming slight or moderate. Showers, rain at first. Moderate or
> good,
> occasionally poor at first.
>
>

Re: Best practice on TCP replies for ANY queries

[Tony Finch]

Anurag Bhatia  wrote:
>
> Now I see presence of some (legitimate) DNS forwarders and hence I don't
> wish to limit queries.

You are going to have to change your mind about this one. Open recursive
resolvers are a really bad idea, unless you can afford a lot of time and
cleverness to manage the abuse. Get your users to choose a more
appropriate name server, and restrict your name server to your local
networks.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

Re: Best practice on TCP replies for ANY queries

[Carlos Vicente]

https://kb.isc.org/article/AA-01000


On Wed, Dec 11, 2013 at 2:17 PM, Arturo Servin wrote:

> I think is better idea to rate-limit your responses rather than
> limiting the size of them.
>
> AFAIK, bind has a way to do it.
>
> .as
>
>
> On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia 
> wrote:
> > Hi ML
> >
> >
> >
> > Yeah I can understand. Even DNSSEC will have issues with it which makes
> me
> > worry about rule even today.
> >
> >
> > On Wed, Dec 11, 2013 at 11:49 PM, ML  wrote:
> >
> >> On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
> >> >
> >> > I am sure I am not first person experiencing this issue. Curious to
> hear
> >> > how you are managing it. Also under what circumstances I can get a
> >> > legitimate TCP query on port 53 whose reply exceeds a basic limit of
> less
> >> > then 1000 bytes?
> >> >
> >> >
> >> >
> >>
> >> I'm not a DNS guru so I don't have an exact answer.  However my gut
> >> feeling is that putting in a place a rule to drop or rate limit DNS
> >> replies greater than X bytes is probably going to come back to bite you
> >> in the future.
> >>
> >> No one can predict the future of what will constitute legitimate DNS
> >> traffic.
> >>
> >>
> >
> >
> > --
> >
> >
> > Anurag Bhatia
> > anuragbhatia.com
> >
> > Linkedin  |
> > Twitter
> > Skype: anuragbhatia.com
>
>

Re: Best practice on TCP replies for ANY queries

[Jared Mauch]

dns-operations list is likely best suited for this question, but...

If using BIND 9.9.4 you can set the system to use TCP for repeated queries to 
prevent spoofed ones from being replied to (ie: use yourself as an amplifier).

There's lists of domains published that are used in abuse, eg:

https://twitter.com/DnsSmurf
http://dnsamplificationattacks.blogspot.nl/
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

You should restrict your DNS server (as much as possible) to only respond to 
your customer base.

If you are using microsoft dns, STOP.  It has no way to restrict the clients it 
replies to queries for.  Set up real software to forward to it which does the 
filtering and scoping for your space.

NSD and others also have the ability to configure rate-limiting, knowing what 
software you are using is an important key here for proper recommendations and 
guide pointers.

Good luck,

- jared

On Dec 11, 2013, at 2:17 PM, Arturo Servin  wrote:

> I think is better idea to rate-limit your responses rather than
> limiting the size of them.
> 
> AFAIK, bind has a way to do it.
> 
> .as
> 
> 
> On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia  wrote:
>> Hi ML
>> 
>> 
>> 
>> Yeah I can understand. Even DNSSEC will have issues with it which makes me
>> worry about rule even today.
>> 
>> 
>> On Wed, Dec 11, 2013 at 11:49 PM, ML  wrote:
>> 
>>> On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
 
 I am sure I am not first person experiencing this issue. Curious to hear
 how you are managing it. Also under what circumstances I can get a
 legitimate TCP query on port 53 whose reply exceeds a basic limit of less
 then 1000 bytes?
 
 
 
>>> 
>>> I'm not a DNS guru so I don't have an exact answer.  However my gut
>>> feeling is that putting in a place a rule to drop or rate limit DNS
>>> replies greater than X bytes is probably going to come back to bite you
>>> in the future.
>>> 
>>> No one can predict the future of what will constitute legitimate DNS
>>> traffic.
>>> 
>>> 
>> 
>> 
>> --
>> 
>> 
>> Anurag Bhatia
>> anuragbhatia.com
>> 
>> Linkedin  |
>> Twitter
>> Skype: anuragbhatia.com

Re: Best practice on TCP replies for ANY queries

[Carlos Vicente]

If you are using BIND, take a look at:

https://kb.isc.org/article/AA-01000

cv


On Wed, Dec 11, 2013 at 1:06 PM, Anurag Bhatia  wrote:

> Hello everyone
>
>
> I noticed some issues on one of DNS server I am managing. It was getting
> queries for couple of attacking domains and server was replying in TCP with
> 3700 bytes releasing very heavy packets. Now I see presence of some
> (legitimate) DNS forwarders and hence I don't wish to limit queries.
>
>
> As I understand there are two ways here for fix:
>
>
>1. I can put a DNS rate limit in reply to ANY packets like say 5 replies
>in every one min. (but again I have some forwarders with quite a few
>machines behind them).
>
>2. Other way is limiting TCP port 53 outbound size ...limiting to say
>600-700 bytes or so.
>
>
>
> I am sure I am not first person experiencing this issue. Curious to hear
> how you are managing it. Also under what circumstances I can get a
> legitimate TCP query on port 53 whose reply exceeds a basic limit of less
> then 1000 bytes?
>
>
>
>
> Thanks.
>
> --
>
>
> Anurag Bhatia
> anuragbhatia.com
>
> Linkedin  |
> Twitter
> Skype: anuragbhatia.com
>

Re: Best practice on TCP replies for ANY queries

[Anurag Bhatia]

Hi Doug


I am using PowerDNS recursor.


On Thu, Dec 12, 2013 at 12:51 AM, Doug Barton  wrote:

> You don't mention what software you're using. If you're using BIND, ask
> this question on bind-us...@isc.org. There is indeed a solution.
>
> Doug
>
>
>
> On 12/11/2013 10:06 AM, Anurag Bhatia wrote:
>
>> Hello everyone
>>
>>
>> I noticed some issues on one of DNS server I am managing.
>>
>


-- 


Anurag Bhatia
anuragbhatia.com

Linkedin  |
Twitter
Skype: anuragbhatia.com

Re: Best practice on TCP replies for ANY queries

[Doug Barton]

You don't mention what software you're using. If you're using BIND, ask 
this question on bind-us...@isc.org. There is indeed a solution.


Doug


On 12/11/2013 10:06 AM, Anurag Bhatia wrote:

Hello everyone


I noticed some issues on one of DNS server I am managing.

Re: Best practice on TCP replies for ANY queries

[Arturo Servin]

I think is better idea to rate-limit your responses rather than
limiting the size of them.

AFAIK, bind has a way to do it.

.as


On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia  wrote:
> Hi ML
>
>
>
> Yeah I can understand. Even DNSSEC will have issues with it which makes me
> worry about rule even today.
>
>
> On Wed, Dec 11, 2013 at 11:49 PM, ML  wrote:
>
>> On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
>> >
>> > I am sure I am not first person experiencing this issue. Curious to hear
>> > how you are managing it. Also under what circumstances I can get a
>> > legitimate TCP query on port 53 whose reply exceeds a basic limit of less
>> > then 1000 bytes?
>> >
>> >
>> >
>>
>> I'm not a DNS guru so I don't have an exact answer.  However my gut
>> feeling is that putting in a place a rule to drop or rate limit DNS
>> replies greater than X bytes is probably going to come back to bite you
>> in the future.
>>
>> No one can predict the future of what will constitute legitimate DNS
>> traffic.
>>
>>
>
>
> --
>
>
> Anurag Bhatia
> anuragbhatia.com
>
> Linkedin  |
> Twitter
> Skype: anuragbhatia.com

Re: Best practice on TCP replies for ANY queries

[Anurag Bhatia]

Hi ML



Yeah I can understand. Even DNSSEC will have issues with it which makes me
worry about rule even today.


On Wed, Dec 11, 2013 at 11:49 PM, ML  wrote:

> On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
> >
> > I am sure I am not first person experiencing this issue. Curious to hear
> > how you are managing it. Also under what circumstances I can get a
> > legitimate TCP query on port 53 whose reply exceeds a basic limit of less
> > then 1000 bytes?
> >
> >
> >
>
> I'm not a DNS guru so I don't have an exact answer.  However my gut
> feeling is that putting in a place a rule to drop or rate limit DNS
> replies greater than X bytes is probably going to come back to bite you
> in the future.
>
> No one can predict the future of what will constitute legitimate DNS
> traffic.
>
>


-- 


Anurag Bhatia
anuragbhatia.com

Linkedin  |
Twitter
Skype: anuragbhatia.com

Re: Best practice on TCP replies for ANY queries

[ML]

On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
>
> I am sure I am not first person experiencing this issue. Curious to hear
> how you are managing it. Also under what circumstances I can get a
> legitimate TCP query on port 53 whose reply exceeds a basic limit of less
> then 1000 bytes?
>
>
>

I'm not a DNS guru so I don't have an exact answer.  However my gut
feeling is that putting in a place a rule to drop or rate limit DNS
replies greater than X bytes is probably going to come back to bite you
in the future.

No one can predict the future of what will constitute legitimate DNS
traffic.

Best practice on TCP replies for ANY queries

[Anurag Bhatia]

Hello everyone


I noticed some issues on one of DNS server I am managing. It was getting
queries for couple of attacking domains and server was replying in TCP with
3700 bytes releasing very heavy packets. Now I see presence of some
(legitimate) DNS forwarders and hence I don't wish to limit queries.


As I understand there are two ways here for fix:


   1. I can put a DNS rate limit in reply to ANY packets like say 5 replies
   in every one min. (but again I have some forwarders with quite a few
   machines behind them).

   2. Other way is limiting TCP port 53 outbound size ...limiting to say
   600-700 bytes or so.



I am sure I am not first person experiencing this issue. Curious to hear
how you are managing it. Also under what circumstances I can get a
legitimate TCP query on port 53 whose reply exceeds a basic limit of less
then 1000 bytes?




Thanks.

-- 


Anurag Bhatia
anuragbhatia.com

Linkedin  |
Twitter
Skype: anuragbhatia.com