[nsd-users] Unexpected responses to ANY queries over TCP
anandb at ripe.net
Thu May 7 12:48:25 UTC 2020
On 07/05/2020 14:20, Tuomo Soini wrote:
> I just explained to knot developers yesterday why it's bad idea to
> respond any queries on tcp on authoritative server.
> Let's try to do it again now here.
> As long as authoritative server answers to any queries with tcp it is
> possible to do dns amplification attack like described here:
This Cloudflare article is all about amplification over UDP, and it is
something that we all understand. The article makes NO mention of
amplification over TCP (because it's not possible), so I don't know what
you are talking about.
> So dns server responding to any query (especially applicable when
> dnssec is used) can be used as a tool for dns amplification attack. It
> doesn't matter if query is udp or tcp, resolvers can query with tcp at
You are wrong. DNS amplification attacks cannot be done over TCP.
And if perchance you're referring to open resolvers that are made to do
ANY queries... well, minimising responses to ANY over UDP solves that
quite neatly. They won't retry over TCP.
> any time. And still respond to victims with udp. So It's important part
> of mitigation to do it at all levels.
> Only way to prevent this is to implment rfc8482 for both udp and tcp on
> authoritative server.
RFC 8482 section 4.4 specifically discusses response behaviour depending
on transport. Over UDP, it is good to minimise responses. On the other
hand, it's quite okay to provide a complete answer over TCP.
More information about the nsd-users