Greg A. Woods; Planix, Inc. wrote: > RFC 5358 describes an attack which effectively requires the nameserver > to perform a recursive lookup for the queries that are part of the > attack. To quote the RFC: > > "DNS authoritative servers that do not provide recursion to clients > can also be used as amplifiers; however, the amplification potential > is greatly reduced when authoritative servers are used." > > "This document's recommendations are > concerned with recursive nameservers only." > > I.e. if recursion is _not_ performed for any "foreign" queries then > nobody outside of the networks "trusted" by the caching nameserver can > succeed at this attack
wrong. if a recursive nameserver is open to cache snooping, it is an amplification vector. if it drops or responds to foreign queries with REFUSED, it is not an amplification vector. > any more than they could succeed at using _any_ and _every_ > authoritative nameserver "normally". wrong. if an authoritative nameserver nameserver responds to queries it is not authoritative for and responds with a referral, it is an amplification vector. if it responds to queries it is not authoritative for with REFUSED, it is not an amplification vector. responding with REFUSED to unsolicited queries is not an amplification vector because a REFUSED answer is exactly the same length as the query being refused. it allows an attacker to further obfuscate the source of his attack, but it does not amplify the amount of bandwidth at the attacker's disposal. see: https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful > I guess what I'm suggesting is something like this, which of course is > not quite possible yet with unbound: IMO, unbound should not have convergently evolved towards BIND and its separate allow-query-cache and allow-recursion ACLs. it should have dropped all rd==0 queries from the beginning, because an rd==0 query indicates a request for authoritative nameservice. > # "trusted" networks can do recursive and non-recursive queries > access-control: 127/8 allow_snoop > access-control: 10/8 allow_snoop > access-control: 172.16/16 allow_snoop > access-control: 192.168/16 allow_snoop > access-control: N.N.N.N/24 allow_snoop # site's public IP space > > # everyone else can only do non-recursive queries of "public" data > access-control: 0/0 snoop_public you can easily achieve this by having one recursive nameserver bound to an RFC 1918 address which only serves your RFC 1918 clients and knows about your fake DNS data, and another recursive nameserver bound to a non-RFC 1918 address which only serves your non-RFC 1918 clients and does not know about your fake DNS data. that way you avoid mixing fake and real DNS data in the same cache. -- Robert Edmonds [email protected] _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
