The command used to test this was apparently "dig +short test.openresolver.com TXT @your.name.server".
Authoritative name servers may not need a huge DNS infrastructure
for a small-ish zone (say under 1k records), but recursors on the
scale of Google and Cloudflare in particular (not sure how popular
Quad9 is so far).. those use massive infrastructure including
anycast and everything! I'd consider it safe to assume that their
servers are at least on the order of 100Gbps cumulatively, if not
more.
If these would be vulnerable to amplification attacks just because
they allow recursion,
Said friend said to me that he tested my authoritative name servers and
found them to be not vulnerable. [snip] They do not respond to recursive queries. It appears that the test of whether a server is "vulnerable" or
not has to do with this. The command used to test this was apparently
"dig +short test.openresolver.com TXT @your.name.server".
Response rate limiting is very effective. Start off by putting theDoes that apply to local queries as well (for example, a mail server may easily make a whole lot of queries to 127.0.0.1, and rate limiting it would at the very least affect logging and could delay mail if the MTA cannot verify DNS.
following in your options{} section, and look in the BIND ARM for other directives you can put in the rate-limit{} section.
rate-limit { responses-per-second 10; };
rate-limit { responses-per-second 10; };
Does that apply to local queries as well (for example, a mail server may easily make a whole lot of queries to 127.0.0.1, and rate limiting it
would at the very least affect logging and could delay mail if the MTA
cannot verify DNS.
Do these setting also need to be applied to the secondary servers?
An auth-only server can also be used for amplification attacks that useThat's a really useful option to have, I didn't know about this yet. It
its authoritative zones - these attacks don't have to use recursion.
There are a few ways to mitigate auth-only amplification attacks.
Response rate limiting is very effective. Start off by putting the
following in your options{} section, and look in the BIND ARM for other directives you can put in the rate-limit{} section.
rate-limit {
responses-per-second 10;
};
Set a maximum UDP packet size, to suppress fragmented packets. The DNSInteresting, I wasn't aware of this campaign. I don't know if I'm knowledgeable enough on UDP to be able to make educated decisions on
flag day 2020 campaign will make this a standard setting. For a long time
I have used:
max-udp-size 1420;
https://dnsflagday.net/2020/
A downside of small UDP responses is more truncated packets and more
queries over TCP, but there are still more ways to reduce response size
which also reduce truncation.
Reduce the size of responses to ANY queries, which are a favourite tool of amplification attacks. There's basically no downside to this one, in my opinion, but I'm biased because I implemented it.
minimal-any yes;
You can also reduce the size of other answers. In theory this option might force resolvers to make more queries to get records that by default would appear in the additional section, but I think in practice resolvers make these queries anyway because of RFC 2181 trustworthiness logic, and
because applications (such as SMTP servers) find it easier to query
directly than use additional records. So on my auth servers I set:
minimal-responses yes;
Reduce the size of responses to ANY queries, which are a favourite tool of amplification attacks. There's basically no downside to this one, in my opinion, but I'm biased because I implemented it.
minimal-any yes;
On Tue, 7 Jul 2020, Tony Finch wrote:
Reduce the size of responses to ANY queries, which are a favourite toolof
amplification attacks. There's basically no downside to this one, in my opinion, but I'm biased because I implemented it.
minimal-any yes;
Why only reduce and not eliminate?
Can ANY responses be disabled completely with an option?
This article at cloudflare https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/
states that they have deprecated it because it wasn't being used. They
should know! This was posted over 5 years ago, in 2015.
Cloudflare themselves now implement the "minimal any" behavior described
in this spec:
https://tools.ietf.org/html/rfc8482
cloudflare.com. 3789 IN HINFO "RFC8482" ""
On 7/7/20 4:06 PM, Tony Finch wrote:The URL has a good explanation of this setting and it looks like 1420 is a more than adequate packet size.
max-udp-size 1420;Interesting, I wasn't aware of this campaign. I don't know if I'm knowledgeable enough on UDP to be able to make educated decisions on this myself but I look forward to its eventual release.
https://dnsflagday.net/2020/
On Tue, 7 Jul 2020, Tony Finch wrote:
minimal-any yes;
Why only reduce and not eliminate?
Brett Delmage <Brett@BrettDelmage.ca> wrote:
On Tue, 7 Jul 2020, Tony Finch wrote:
minimal-any yes;
Why only reduce and not eliminate?
The reason is a bit subtle. If an ANY query comes via a recursive
resolver, it is much better to give the resolver an answer so that it will put an entry in its cache...
| Sysop: | DaiTengu | 
|---|---|
| Location: | Appleton, WI | 
| Users: | 1,073 | 
| Nodes: | 10 (0 / 10) | 
| Uptime: | 20:07:52 | 
| Calls: | 13,785 | 
| Files: | 186,987 | 
| D/L today: | 2,926  				files (902M bytes) | 
| Messages: | 2,436,551 |