[nsd-users] Unexpected responses to ANY queries over TCP

Tuomo Soini tis at foobar.fi
Thu May 7 12:20:30 UTC 2020


On Thu, 7 May 2020 12:13:24 +0200
Anand Buddhdev via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote:

> NSD with default settings, returns a partial response to ANY queries, 
> whether the queries are made over UDP or TCP. I did not expect this.

> In contrast, other servers like BIND and Knot>=2.9.4 make a
> distinction between ANY queries received over UDP versus TCP. Over
> UDP, they return a partial response. Over TCP, they do return all the
> records.

I just explained to knot developers yesterday why it's bad idea to
respond any queries on tcp on authoritative server.

Let's try to do it again now here.

As long as authoritative server answers to any queries with tcp it is
possible to do dns amplification attack like described here:

https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/

So dns server responding to any query (especially applicable when
dnssec is used) can be used as a tool for dns amplification attack. It
doesn't matter if query is udp or tcp, resolvers can query with tcp at
any time. And still respond to victims with udp. So It's important part
of mitigation to do it at all levels.

Only way to prevent this is to implment rfc8482 for both udp and tcp on
authoritative server.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>


More information about the nsd-users mailing list