Fwd: disabling "Any" requests

Dns Administrator dnsadmdns at gmail.com
Fri Jul 13 08:26:55 UTC 2012


Thank you all very much for your advice.
Doing a general check on some dns servers in connection with an upcoming
systems upgrade I noticed an unexpected spikiness when looking at the query
logs
This I found was apparently caused by "ANY" queries from some few addresses
and with a volume and a frequency, which lead me to believe that these
queries didn't originate from "bono fido" users
Googling the issue I found that it was well known and had something to do
with dns amplification and denial of service.
Stopping their ingress at a firewall doesn't appeal to me and as the "ANY"
query isn't a realy type but more a wild card funtion I thought that maybe
the isc folks had implemented some sort of configuration option which could
control this
But as so rightly pointed out the scamps who engage in this sort of
foolishness would also be aware of this and change their scripts accordingly
Kind Regards Peter
ps I haven't stumbled across any coax cabling since the last millenium


---------- Forwarded message ----------
From: Chuck Swiger <cswiger at mac.com>
Date: Thu, Jul 12, 2012 at 6:15 PM
Subject: Re: disabling "Any" requests
To: "Lightner, Jeff" <jlightner at water.com>
Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>


On Jul 12, 2012, at 7:16 AM, Lightner, Jeff wrote:
> Your answer was clearly meant to be tongue in cheek but I'm not sure you
understood.

Please allow me to reassure you that I understood the intent of the
question.  :-)

The point was that if one isn't clear about what one should allow and what
one should forbid, spending lots of money on a fancy firewall box, or
complicated rules creating restrictions for certain DNS query types is
silly-- a pair of wirecutters provides better security for your money:

  http://www.ranum.com/security/computer_security/papers/a1-firewall/
  http://www.google.com/search?q=firewall+wizards+wirecutters

> The OP wasn't asking how to stop all (any) lookups - it was how to stop
"dig -t any" which isn't the same thing at all.  Presumably they still want
to allow dig -t mx, dig www... etc...
>
> Personally I don't know why "dig -t any" would be a problem.   It's not
exactly the same as doing an axfr transfer of the zone - it still only gets
limited information.

That's an extremely good question to ask, yes.

However, it should also lead to asking "why would you want to answer DNS
queries at all for some client, if you've decided you want to block some
types of queries?"  If whoever it is making the DNS requests is a valid
user of the nameserver, then you probably ought to figure out what's going
on by talking with them before simply breaking things.  If the queries
aren't from a valid user, consider not answering any of queries, rather
than just blocking some.

If the intent is to mitigate a DDOS/amplification attack but still allow
public access to the nameserver, well, rate limiting queries seems to be a
much more appropriate solution than blocking type=any.

Regards,
--
-Chuck

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120713/1d91cfe7/attachment.html>


More information about the bind-users mailing list