Maintained by: NLnet Labs

[Unbound-users] allowing cache queries but not doing recursion for "foreign" networks

Robert Edmonds
Mon Feb 16 00:23:01 CET 2009


Greg A. Woods; Planix, Inc. wrote:
> RFC 5358 describes an attack which effectively requires the nameserver  
> to perform a recursive lookup for the queries that are part of the  
> attack.  To quote the RFC:
>
> 	"DNS authoritative servers that do not provide recursion to clients
>    can also be used as amplifiers; however, the amplification potential
>    is greatly reduced when authoritative servers are used."
>
> 	"This document's recommendations are
>    concerned with recursive nameservers only."
>
> I.e. if recursion is _not_ performed for any "foreign" queries then  
> nobody outside of the networks "trusted" by the caching nameserver can  
> succeed at this attack

wrong. if a recursive nameserver is open to cache snooping, it is an
amplification vector.  if it drops or responds to foreign queries with
REFUSED, it is not an amplification vector.

> any more than they could succeed at using _any_  and _every_
> authoritative nameserver "normally".

wrong. if an authoritative nameserver nameserver responds to queries it
is not authoritative for and responds with a referral, it is an
amplification vector.  if it responds to queries it is not authoritative
for with REFUSED, it is not an amplification vector.

responding with REFUSED to unsolicited queries is not an amplification
vector because a REFUSED answer is exactly the same length as the query
being refused.  it allows an attacker to further obfuscate the source of
his attack, but it does not amplify the amount of bandwidth at the
attacker's disposal.  see:

https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful

> I guess what I'm suggesting is something like this, which of course is  
> not quite possible yet with unbound:

IMO, unbound should not have convergently evolved towards BIND and its
separate allow-query-cache and allow-recursion ACLs.  it should have
dropped all rd==0 queries from the beginning, because an rd==0 query
indicates a request for authoritative nameservice.

> 	# "trusted" networks can do recursive and non-recursive queries
> 	access-control: 127/8 allow_snoop
> 	access-control: 10/8 allow_snoop
> 	access-control: 172.16/16 allow_snoop
> 	access-control: 192.168/16 allow_snoop
> 	access-control: N.N.N.N/24 allow_snoop	# site's public IP space
>
> 	# everyone else can only do non-recursive queries of "public" data
> 	access-control: 0/0 snoop_public

you can easily achieve this by having one recursive nameserver bound to
an RFC 1918 address which only serves your RFC 1918 clients and knows
about your fake DNS data, and another recursive nameserver bound to a
non-RFC 1918 address which only serves your non-RFC 1918 clients and
does not know about your fake DNS data.  that way you avoid mixing fake
and real DNS data in the same cache.

-- 
Robert Edmonds
edmonds at debian.org