Home page logo
/

nanog logo nanog mailing list archives

Re: Open Resolver Problems
From: Joe Abley <jabley () hopcount ca>
Date: Mon, 1 Apr 2013 14:33:57 -0400


On 2013-04-01, at 14:19, Jay Ashworth <jra () baylink com> wrote:

From: "Roland Dobbins" <rdobbins () arbor net>

On Apr 1, 2013, at 11:18 PM, Patrick W. Gilmore wrote:
Of course, since users shouldn't be using off-net name servers
anyway, this isn't really a problem! :)

;>

It's easy enough to construct ACLs to restrict the broadband consumer
access networks from doing so. Additional egress filtering would catch
any reflected attacks, per your previous comments.

So, how would Patrick's caveat affect me, whose recursive resolver *is 
on my Linux laptop*?  Would not that recursor be making queries he 
advocates blocking?

The badness that Patrick is talking about blocking are DNS responses being sent from consumer devices to the Internet, 
answering DNS queries being sent from the Internet towards consumer devices. (I think. This thread is sufficiently 
circular that I feel a bit dizzy, and could be mistaken.) The DNS traffic outbound from your laptop will be DNS queries 
(not responses) and the inbound traffic will be DNS responses (not queries). The traffic profiles are different.

The case where infected consumer devices originate source-spoofed queries towards open resolvers, feeding a query 
stream to an amplifier for delivery to a victim, is mitigated by preventing those consumer devices from spoofing their 
source address, so BCP38.

The case where infected consumer devices originate non-source-spoofed queries towards DNS servers in order to overwhelm 
the servers themselves with perfectly legitimate-looking queries is a harder problem to solve at the edge, and is most 
easily mitigated for DNS server operators by the approach "ensure great headroom".


Joe



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault