Maintained by: NLnet Labs

[Unbound-users] Python API extension patch proposal

W.C.A. Wijngaards
Mon Jan 5 11:21:27 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Stephane,

On 05/01/15 09:03, Stephane Lapie wrote:
> Hello,
> 
> I am currently in the process of dealing with water torture attacks
> on our cache DNS servers (<randomstring>.domain.com queries that
> never resolve and end up causing enormous upstream traffic,
> ultimately crushing the authoritative server for domain.com).
> 
> To this end, I toyed around with unbound, and noticed that 
> unbound-control's lookup function has a very interesting feature : 
> $ sudo unbound-control lookup randomtest.google.com The following
> name servers are used for lookup of randomtest.google.com. ;rrset
> 14224 4 0 8 0 google.com.    273424    IN    NS    ns2.google.com. 
> google.com.    273424    IN    NS    ns3.google.com. google.com.
> 273424    IN    NS    ns4.google.com. google.com.    273424    IN
> NS    ns1.google.com. ;rrset 7350 1 0 8 0 ns1.google.com.    266550
> IN    A    216.239.32.10 ;rrset 57726 1 0 8 0 ns4.google.com.
> 316926    IN    A    216.239.38.10 ;rrset 56988 1 0 8 0 
> ns3.google.com.    316188    IN    A    216.239.36.10 ;rrset 28120
> 1 0 8 0 ns2.google.com.    287320    IN    A    216.239.34.10 
> Delegation with 4 names, of which 4 can be examined to query
> further addresses. It provides 4 IP addresses. 216.239.34.10
> rto 87 msec, ttl 628, ping 71 var 4 rtt 87, tA 0, tAAAA 0, tother
> 0, EDNS 0 probed. 216.239.36.10       rto 645 msec, ttl 19, ping
> 101 var 136 rtt 645, tA 0, tAAAA 0, tother 0, EDNS 0 probed. 
> 216.239.38.10       rto 113 msec, ttl 31, ping 97 var 4 rtt 113, tA
> 0, tAAAA 0, tother 0, EDNS 0 probed. 216.239.32.10       rto 99
> msec, ttl 328, ping 47 var 13 rtt 99, tA 0, tAAAA 0, tother 0, EDNS
> 0 probed.
> 
> Namely, for any given hostname, it can find the closest delegation
> point (in this case, remove unambiguously and with no danger the
> random part of the attack query, since it goes to the deepest
> component that retains any meaning DNS-wise).
> 
> I thought that since the information was available within the
> Unbound process, coding a Python module that would keep track of
> the count of queries to a DDoSed delegation point would be a good
> start to an algorithm for effectively blocking water torture
> attacks, but the required function, dns_cache_find_delegation() was
> not available readily from the Python API.
> 
> Therefore, I extended the Python API as per the attached file
> (also available at 
> http://www.yomi.darkbsd.org/~darksoul/lookup-api-extension.patch),
> to export struct delegpt and a find_delegation() function that
> would allow to acquire the delegation point name, records and
> servers, from the Python module environment.
> 
> Example of use case (extremely simplified, implementation of 
> allow_query() not disclosed) : def operate(id, event, qstate,
> qdata): delegation = find_delegation(qstate, qstate.qinfo.qname, 
> len(qstate.qinfo.qname))
> 
> if (event == MODULE_EVENT_NEW) or (event == MODULE_EVENT_PASS): 
> policy_result = allow_query(qstate.qinfo, delegation, 
> delegation_name) if (policy_result): # Pass query to next module 
> qstate.ext_state[id] = MODULE_WAIT_MODULE else: 
> qstate.ext_state[id] = MODULE_ERROR return True
> 
> This patch, along with an actual module that will SERVFAIL (as
> above) cache-missing queries going over threshold (therefore
> reducing upstream traffic to a tenth of what it would be if
> honoring DDoS-related queries, AND keeping it within our AS), has
> been running in our production environment at ASAHI Net for several
> months now, and has been approved for upstream contribution on our
> side.

Thank you for the patch, I have put it in the source.  Can you tell
the allow_query() details that work for you (the threshold and what
you do with the AS specifically)?

Best regards,
   Wouter

> I thought this feature would be very useful to have in the Python
> module environment, so would it be possible for you to consider
> integrating this patch as a standard feature in Unbound?
> 
> Thanks for your time,

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUqmWnAAoJEJ9vHC1+BF+N0KEP/36adQa1+eWf+Oqa+XlryGUE
w3MfgRP+8Kso6qRTH/y3ErQoC3SlTiggHYc9izNZodsN6zy/d5Yu8ugg6h9ECtsC
7BWmJOoRKV9CimVJAoPU3RmsrTD93ySqP5iiXAQUszu5vdRDf63WQgwOrNOqa9Ab
QjqHB8BGB1TkEXMx2KjJ1yOP46mD/g8gt9/gIaBgOeu53FGozR2lUIqgVEesZxq5
DlSp8W0aQKqkb4z1HVABthcNys7chqwzDPrv7F4fo4ng1/OzMbJbLBV0K/l8QOyE
BIjC4CwlV86KCjLRzubMHywnLcpw/xZZWRPLEGy0GADC/TT6ZFg06coxkIA/8Vx6
x3JteSWb47kTeZjlSDCBuOSktKt86WVBfoO2S/JJ/rBYj5/4esFKepBPwGK0yFGN
o5fMJyHo+kp/dVujHP2uCGb3L+xxfnaE0eSBWMpj0KRhTNlZpoBuDphEJRmLzG9r
sv0IVGwjaewy+u3XzdRd0VDZ+HNfvR/1FDGfgLe3BqEImZzzShjD6AHO26gqbXl4
uie9I74VHzBhaFV/gt/0wCEVJSt6kcgLk0F1NiO4251GB3pheIirTheod9MJD34w
gKBa03NPvb8SjpJmOwMq3oyXk3GN3QS//OAVHwz/QfTHSRwAacv50Iwb1vqvIfm6
Aisrm7SmQDo5+Bv0A17b
=L2fO
-----END PGP SIGNATURE-----