[ratelimits] bind force qtype=ANY to TCP

Vernon Schryver vjs at rhyolite.com
Thu May 16 00:03:19 UTC 2013

> From: Jared Mauch <jared at puck.nether.net>

> The folks that are most concerned with RRL are those expecting queries
> from stub resolvers, I think this would mitigate this risk.

} > Is it intentional that the patch does not affect authoritative ANY
} > responses?  I think the patch would fail to stop the authorities for
} > isc.org from answering `dig +dnssec isc.org any @ams.sns-pb.isc.org'
} > with almost 4 Kbytes.
} It's somewhat accidental, but I think OK.

We disagree on both of those issues.  Reflections from recursive
servers are bad, but reflections from authorities are as bad if only
because many authorities have more resources and so can blast more
bits at a DoS target than many recursives.  There's also the idea
that open recursives should be closed for more reasons than complicity
in reflection DoS attacks but authorities cannot be closed.

}   I think it is fine as it primes the cache if it's a real query, but if it's
} fake then it just keeps sending TC=1 until the TTL expires.

What are "fake" and "real" queries?  I didn't think we were talking
about queries that get NXDOMAIN responses or <random>example.com.
There would be no need for any patches if there were a way to
distinguish forged DoS queries from real queries from the DoS target.

That reference to cache priming suggested another thought.
As you wrote, the patch does not stop recursion from filling the
local cache.  The patched code is not used when the local cache
already has the answer, as it will after an initial TC=1 response,
because BIND sort of pretends that it is authoritative for everything
in the cache.  That implies the patch should have no effect after
an initial ANY query and TC=1 response.

I think the patch has a false negative rate of approximately 100%.
To check whether I am wrong again, I set up a test server and tried
two `dig +ignore isc.org any` commands.  The first got a TC=1 error
response as expected.  The second command got 3500 bytes of RRs via
UDP.  I expect (but haven't tested) that all subsequent queries get
normal responses until all of the TTLs expire.

So I recommend that those who want to answer all UDP ANY responses
with TC=1 and don't like my real recommendation of "Don't Do That!"
use one of the fancy iptables or other firewall rules for doing that.
Or am I wrong again and no one has offered such rules?--if so, use
one of the rules that simply block ANY (which I also don't like).

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list