Re: Open Resolver Problems

[Joe Abley <jabley () hopcount ca>]

On 2013-04-01, at 14:19, Jay Ashworth <jra () baylink com> wrote:

> > From: "Roland Dobbins" <rdobbins () arbor net>
>
> > On Apr 1, 2013, at 11:18 PM, Patrick W. Gilmore wrote:
> > > Of course, since users shouldn't be using off-net name servers
> > > anyway, this isn't really a problem! :)
> >
> > ;>
> >
> > It's easy enough to construct ACLs to restrict the broadband consumer
> > access networks from doing so. Additional egress filtering would catch
> > any reflected attacks, per your previous comments.
>
> So, how would Patrick's caveat affect me, whose recursive resolver *is 
> on my Linux laptop*?  Would not that recursor be making queries he 
> advocates blocking?

The badness that Patrick is talking about blocking are DNS responses being sent from consumer devices to the Internet, 
answering DNS queries being sent from the Internet towards consumer devices. (I think. This thread is sufficiently 
circular that I feel a bit dizzy, and could be mistaken.) The DNS traffic outbound from your laptop will be DNS queries 
(not responses) and the inbound traffic will be DNS responses (not queries). The traffic profiles are different.

The case where infected consumer devices originate source-spoofed queries towards open resolvers, feeding a query 
stream to an amplifier for delivery to a victim, is mitigated by preventing those consumer devices from spoofing their 
source address, so BCP38.

The case where infected consumer devices originate non-source-spoofed queries towards DNS servers in order to overwhelm 
the servers themselves with perfectly legitimate-looking queries is a harder problem to solve at the edge, and is most 
easily mitigated for DNS server operators by the approach "ensure great headroom".


Joe