[ratelimits] bind force qtype=ANY to TCP

Vernon Schryver vjs at rhyolite.com
Wed May 15 20:38:09 UTC 2013

> From: Jared Mauch <jared at puck.nether.net>

> I thought I'd share this to anyone that wants to just force all
> TYPE=ANY queries over TCP to prevent those from coming from spoofed
> locations.
> This is a crude but effective hack.  It doesn't stop the system
> from recursing to find the response.
> http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch

I can understand simplistic DNS reflection mitigation in firewalls,
especially when response rate limiting is not available in the DNS
server implementation or when local policies forbid the use of patches.
I don't understand why would one use a patch like that with its
limitations and drawbacks (e.g. usable only on recent versions of
BIND9, affects only ANY, affects all ANY, doesn't limit the flood of
reflected truncated responses during attacks, no whitelisting for local
clients, not view-specific) instead of the full blown RRL patch for
9.9.3rc2, 9.9.2, 9.9.2-P1, 9.9.2-P2, 9.8.4-P2, 9.8.4-P1, or 9.8.5rc2.

By the way, why use "qtype == 255" instead of "qtype == dns_rdatatype_any" ? 

Why #define TCP_CLIENT() and use the macro exactly once instead
something like
    if (qtype == dns_rdatatype_any &&
	(client->attributes & NS_CLIENTATTR_TCP) != 0) {
If TCP_CLIENT() is used in query.c, then its definition should be moved
from client.c to bin/named/include/named/client.h and the several uses
of "client->attributes & NS_CLIENTATTR_TCP" in query.c replaced with
TCP_CLIENT().   It's bad form to define macros (or much of anything)
more than once, because you can be sure that eventually the definitions
will differ.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list