DNS security, amplification attacks and recursion

Michael De Roover isc at nixmagic.com
Tue Jul 7 18:06:29 UTC 2020

On 7/7/20 4:06 PM, Tony Finch wrote:

> An auth-only server can also be used for amplification attacks that use
> its authoritative zones - these attacks don't have to use recursion.
> There are a few ways to mitigate auth-only amplification attacks.
> Response rate limiting is very effective. Start off by putting the
> following in your options{} section, and look in the BIND ARM for other
> directives you can put in the rate-limit{} section.
> 	rate-limit {
> 		responses-per-second 10;
> 	};
That's a really useful option to have, I didn't know about this yet. It 
seems like that could take care of the brunt of amplification attacks 
already. Definitely going to add this in, thanks!
> Set a maximum UDP packet size, to suppress fragmented packets. The DNS
> flag day 2020 campaign will make this a standard setting. For a long time
> I have used:
> 	max-udp-size 1420;
> 	https://dnsflagday.net/2020/
> A downside of small UDP responses is more truncated packets and more
> queries over TCP, but there are still more ways to reduce response size
> which also reduce truncation.
Interesting, I wasn't aware of this campaign. I don't know if I'm 
knowledgeable enough on UDP to be able to make educated decisions on 
this myself but I look forward to its eventual release.
> Reduce the size of responses to ANY queries, which are a favourite tool of
> amplification attacks. There's basically no downside to this one, in my
> opinion, but I'm biased because I implemented it.
> 	minimal-any yes;

I've heard of these ANY queries being preferred for amplification 
attacks as well, since the responses are often so large... I don't think 
that there would be any downsides to this either, in fact I've never 
actually seen a legitimate application use it... Probably best to lock 
down indeed.

> You can also reduce the size of other answers. In theory this option might
> force resolvers to make more queries to get records that by default would
> appear in the additional section, but I think in practice resolvers make
> these queries anyway because of RFC 2181 trustworthiness logic, and
> because applications (such as SMTP servers) find it easier to query
> directly than use additional records. So on my auth servers I set:
> 	minimal-responses yes;

Hmm, for the authoritative name servers this might be a good idea yeah.. 
Those are authoritative only (i.e. `recursion no`). So for clients 
querying those, the NS records served in the additional section at least 
should already be known to the client anyway... I mean that's why 
they're there to begin with, so they must already know that information 
from the DNS servers higher up the chain. And another query if needed, 
saves traffic either way I suppose.

Thanks a lot for the detailed reply, I really appreciate it :)

Met vriendelijke groet / Best regards,
Michael De Roover

More information about the bind-users mailing list