[nycbug-talk] dns abuse

Max Gribov max at neuropunks.org
Wed Jan 21 18:10:32 EST 2009


Miles Nordin wrote:
>>>>>> "y" == Yarema  <yds at CoolRat.org> writes:
>>>>>>             
>
>
>      y> In the case of this latest spoof attack it seems to me
>      y> like everyone was scrambling for a way to disable answering
>      y> the "." zone.  Was everyone trying to figure out a way to
>      y> violate "some standard" as a way of protecting their DNS
>      y> servers?
>
> probably, yes.  Both goals are semi-hysterical.
>   

i dont believe it says anywhere that an auth dns server MUST answer to 
request for root zone - it only knows about the zones its authoritative for.
If you dont want to declare a hint zone a master you can use views.

i also think firewall/router level protection like throttling is a much 
better way to protect *my* servers  - in this case, the victim's servers 
is what needs protection. its good etiquette not to participate 
in/amplify a ddos

Check out the nanog threads on the subject:

http://www.merit.edu/mail.archives/nanog/msg14428.html
http://www.merit.edu/mail.archives/nanog/msg14429.html




>      y> So having said all that I'm now convinced that tinydns is
>      y> doing the Right Thing(TM) by not replying to queries for the
>      y> "." zone, because no one has any business asking my
>
>     >> And it provides no real security because I can still do a query
>     >> for something for which your server is authoritative and get it
>     >> to amplify an attack.
>
>      y> Doesn't this apply equally to any DNS server out there?
>
> yes, to any server including djbdns, which is my point.
>
> It's security through obscurity, possibly at the expense of
> standards-compliance (though possibly not.  i'm still not sure whether
> it's a BIND bug, or an intentional feature complying to the letter of
> some standard or working around some resolver's corner case).
>
>      y> The "crazed zealot" did deliver the library piece of the
>      y> resolver: http://cr.yp.to/djbdns/blurb/library.html
>
> okay I guess I'm wrong.  It's still mostly a wheel-reinvention, in
> that it preserves the BIND architecture of implementing a resolver
> through a stateless client stub library plus a recursive resolver.
> He's just stirring around the bowl full of dust a bit, arguing about
> the exact order to put function arguments or how to allocate memory.
> Even BIND's lwres is probably a more relevant re-invention than his.
>
> The Mac OS X and Solaris resolvers seem to include more client-side
> caching and an abstract interface that's not DNS-specific, is generic
> for looking up ``directory'' information or netinfo.  In both cases
> they used this abstraction to move from their old directory protocols
> (NIS+ and Netinfo) to LDAP.  and in Apple's case the hostname lookup
> part includes seamless dns-sd/zeroconf support which requires a lot of
> resolver state to be performant.  I brought them up because they're
> more genuine examples of what it really means to separate the resolver
> from the server, and of what sorts of refactoring is possible once you
> do this---DNS caching gets mixed in with caching other directory data,
> and the API gets simpler and more powerful.  DJB's separation is more
> just copying BIND and then applying a bunch of NIH ranting against it.
> not pointlessly, but it's just OCD screaming, not the actual
> creativity you can find among younger developers.  That's why I think
> sysadmins should resist a temptation to idolize him, and sort of
> embrace all this bloated buggy modern crap a little more readily,
> learn how to recognize the good and bad among it, and exist in a world
> built from it.
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>   




More information about the talk mailing list