Bind ANY ANY Query Denial of Service

Vinny Abello vinny at tellurian.com
Wed Aug 10 03:47:27 UTC 2005 

At 11:39 PM 8/9/2005, Vinny Abello wrote:
>At 06:50 PM 8/9/2005, srv1054 at gmail.com wrote:
> >We are a large national ISP and we have a number of BIND DNS Caching
> >servers around the country for our customers.
> >
> >We've been victims of multiple Denial of Service attacks against our
> >BIND DNS servers.  Now normally this isn't an issue because we do not
> >allow Recursion for IP's we don't own, as well as we can make use of
> >BIND's wonderful ability to blackhole IP #'s.
> >
> >The problem comes from this.   We have out to our customer base a huge
> >number of CPE routers deployed that contain a bug which allows any IP
> >to query the CPE router for DNS and it will simply just forward the
> >request off to it's primary DNS server.  The CPE is not smart, and the
> >way it's configured we can not disable the DNS settings, as well as it
> >is a massive undertaking to upgrade all the CPE in the field (tens of
> >thousands of them) to the latest patch in any reasonable amount of
> >time.
> >
> >The DoS attacks are targeted at our entire IP blocks, and because of
> >the above mentioned bug, any of these CPE that happen to get hit will
> >forward the DNS request to our caching servers.  So it appears we are
> >being attacked by our own customer base.   When this happens we get
> >thousands of queries from thousands of our own IP's that are all
> >querying for  ANY ANY.
> >
> >To my knowledge ANY ANY is not a valid query and BIND simply returns a
> >list of ROOT servers.
> >
> >The problem now is that if we blackhole the IP's that this comes from,
> >we are blocking our customers from using DNS and it's not even their
> >fault.
> >
> >We've been around a million ways to solve this problem but we need a
> >fast way to make BIND not respond to this type of query, until we can
> >fix the greater problem which is patching all of the CPE to a version
> >that does not allow DNS forwarding from external interfaces.  (ya
> >pretty dumb)
> >
> >The simple solution from our stand point is to have BIND not respond to
> >this type of query.  And rather, just ignore the ANY ANY query or
> >blackhole it.   I've included a sample from the QUERY logs to show what
> >we see when this happens.
> >
> >SHould it even be responding to ANY ANY queries?  That seems invalid,
> >maybe this is a bug?
> >
> >Thousands and thousands of these from thousands of IP's:
> >
> >Aug  9 16:58:15 ns1.iad named[3718]: [ID 866145 local5.info] client
> >209.125.200.66#53: query: . ANY ANY +
> >Aug  9 15:58:14 ns1.ord named[27662]: [ID 866145 local5.info] client
> >72.20.18.17#6442: query: . ANY ANY +
> >Aug  9 15:58:14 ns1.pdx named[27662]: [ID 866145 local5.info] client
> >72.20.18.17#6442: query: . ANY ANY +
> >Aug  9 15:58:14 ns1.sjc named[27662]: [ID 866145 local5.info] client
> >72.20.18.17#6442: query: . ANY ANY +
> >
> >
> >Any help or direction you could provide is much appreciated.
>
>Assuming these attacks are originating outside of your network, can
>you simply block UDP/TCP 53 to you're customers CPE's? This will only
>break their resolution if the query is being sourced from 53 which it
>likely isn't. Just a suggestion...

In fact, block it from everywhere except from your DNS servers so if 
they are trying to source from 53, they'll likely going to be using 
your DNS servers as resolvers anyway and it'll work. Of course if 
they are running their own DNS servers as resolvers sourcing from 53 
and not using forwarders, this will still cause problems but you 
could make exceptions.

That's just a quick and dirty thing to do in a pinch. If your 
router/firewall can inspect the packets and detect that pattern and 
block it, that would be more desirable obviously. As it was said 
already though, fixing the CPE's would be my priority hopefully by 
doing a firmware update.


Vinny Abello
Network Engineer
Server Management
vinny at tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

"Courage is resistance to fear, mastery of fear - not absence of 
fear" -- Mark Twain

More information about the bind-users mailing list