Home page logo
/

nanog logo nanog mailing list archives

Re: DOS attack against DNS?
From: Mark Andrews <Mark_Andrews () isc org>
Date: Mon, 16 Jan 2006 10:33:45 +1100 (EST)


In article <20060115231056.75AAD11425 () sa vix com> you write:

# > class "ANY" has no purpose in the real world, not even for debugging.  if
# > you see it in a query, you can assume malicious intent.  if you hear it in
# > a query, you can safely ignore that query, or at best, map it to class
# > "IN".
# 
#      er... i guess that is true, although the DNS does work for 
#      things other than IP based networks...  dispite our respective
#      best efforts to cripple it.

i'm not trying to cripple it.  i'm saying RFC 1034/1035 was wrong about class
"ANY".  all answer/authority/additional data where OP=QUERY and QR=1 will have
the same class as the QCLASS (of which, in spite of the QDCOUNT field, there
can be only one).  nodes do not have classes.  not even zones have classes.
each class has a hierarchy of NS RRs making a "namespace".  each class needs
its own root name servers.  there are less-coherent / more-useful ways to
interpret "the spec", and one such way could give meaning to class "ANY", but
no dns implementation i'm aware of follows those alternate interpretations.

since nanog isn't a protocol-fine-points mailing list, at least for the DNS
protocol, one could ask "why are we discussing this?" and my answer is, there
is an operational tie-in.  if you see QCLASS=ANY in a firewall, that is prima
facie evidence of malfeasance, not merely misconfiguration or
misinterpretation.

        And if you want to refuse class ANY queries in BIND 9 create a view
        like the following.

                view "blackhole" any {
                        allow-query { none; };
                };
        
        Note: all zones have to be in a view once you start using views.

        Again this really is only a stop gap measure as the attack
        can quite easily morph into something this won't catch.

        Mark


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]