[ratelimits] bind force qtype=ANY to TCP
jared at puck.nether.net
Wed May 15 21:59:02 UTC 2013
On May 15, 2013, at 4:38 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
>> From: Jared Mauch <jared at puck.nether.net>
>> I thought I'd share this to anyone that wants to just force all
>> TYPE=ANY queries over TCP to prevent those from coming from spoofed
>> This is a crude but effective hack. It doesn't stop the system
>> from recursing to find the response.
> I can understand simplistic DNS reflection mitigation in firewalls,
> especially when response rate limiting is not available in the DNS
> server implementation or when local policies forbid the use of patches.
> I don't understand why would one use a patch like that with its
> limitations and drawbacks (e.g. usable only on recent versions of
> BIND9, affects only ANY, affects all ANY, doesn't limit the flood of
> reflected truncated responses during attacks, no whitelisting for local
> clients, not view-specific) instead of the full blown RRL patch for
> 9.9.3rc2, 9.9.2, 9.9.2-P1, 9.9.2-P2, 9.8.4-P2, 9.8.4-P1, or 9.8.5rc2.
> By the way, why use "qtype == 255" instead of "qtype == dns_rdatatype_any" ?
(also see dns-operations list reply, but for those that aren't on both).
I've cleaned up the patch slightly with your suggestions. My plan is to use both
together, but in the interim for those that don't want a large patch or are concerned
about the false-positives that were presented at DNS-OARC meeting in Dublin this
past weekend, this patch will only have the TC=1 backscatter and have make the
amplification effect go away. Far from perfect, but it's suitable on any recursive resolver
where some may not want RRL on there.
PS: Anyone that is blocking TCP/53 may see problems, but they may see other
broken things too. I can't fix them, but this might drive people to be educated
as to why.
More information about the ratelimits