On 7/7/20 4:06 PM, Tony Finch wrote:
An auth-only server can also be used for amplification attacks that use
its authoritative zones - these attacks don't have to use recursion.
There are a few ways to mitigate auth-only amplification attacks.
Response rate limiting is very effective. Start off by putting the
following in your options{} section, and look in the BIND ARM for other
directives you can put in the rate-limit{} section.
rate-limit {
responses-per-second 10;
};
That's a really useful option to have, I didn't know about this yet. It
seems like that could take care of the brunt of amplification attacks
already. Definitely going to add this in, thanks!
Set a maximum UDP packet size, to suppress fragmented packets. The DNS
flag day 2020 campaign will make this a standard setting. For a long time
I have used:
max-udp-size 1420;
https://dnsflagday.net/2020/
A downside of small UDP responses is more truncated packets and more
queries over TCP, but there are still more ways to reduce response size
which also reduce truncation.
Interesting, I wasn't aware of this campaign. I don't know if I'm
knowledgeable enough on UDP to be able to make educated decisions on
this myself but I look forward to its eventual release.
Reduce the size of responses to ANY queries, which are a favourite tool of
amplification attacks. There's basically no downside to this one, in my
opinion, but I'm biased because I implemented it.
minimal-any yes;
I've heard of these ANY queries being preferred for amplification
attacks as well, since the responses are often so large... I don't think
that there would be any downsides to this either, in fact I've never
actually seen a legitimate application use it... Probably best to lock
down indeed.
You can also reduce the size of other answers. In theory this option might
force resolvers to make more queries to get records that by default would
appear in the additional section, but I think in practice resolvers make
these queries anyway because of RFC 2181 trustworthiness logic, and
because applications (such as SMTP servers) find it easier to query
directly than use additional records. So on my auth servers I set:
minimal-responses yes;
Hmm, for the authoritative name servers this might be a good idea yeah..
Those are authoritative only (i.e. `recursion no`). So for clients
querying those, the NS records served in the additional section at least
should already be known to the client anyway... I mean that's why
they're there to begin with, so they must already know that information
from the DNS servers higher up the chain. And another query if needed,
saves traffic either way I suppose.
Thanks a lot for the detailed reply, I really appreciate it :)
--
Met vriendelijke groet / Best regards,
Michael De Roover
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
