DNS Lookup - Filter "localhost"

Radke_Justin · November 17, 2014, 9:11pm

This past weekend we started receiving bursts of lookups on our DNS server
for "localhost." We blocked our subscriber abusing this lookup (most
assuredly malware and not intentional) but curious what safeguards you put
in place for DOS attacks on your DNS servers.

1. As an ISP do you see a problem with blocking localhost on your DNS
servers? (we don't see any validity to these requests but checking with you
to see if we've overlooked something).
2. Do you have an actual localhost zone that issues 127.0.0.1?
3. Do you block >512 Bytes DNS requests?
4. Do you block non-UDP DNS requests or rate-limit requests?
5. Anything else you block/filter on your DNS servers?

-=JGR

Stephen_Satchell · November 17, 2014, 10:06pm

This past weekend we started receiving bursts of lookups on our DNS server
for "localhost." We blocked our subscriber abusing this lookup (most
assuredly malware and not intentional) but curious what safeguards you put
in place for DOS attacks on your DNS servers.

1. As an ISP do you see a problem with blocking localhost on your DNS
servers? (we don't see any validity to these requests but checking with you
to see if we've overlooked something).

Not really

2. Do you have an actual localhost zone that issues 127.0.0.1?

Yes

3. Do you block >512 Bytes DNS requests?

No.

4. Do you block non-UDP DNS requests or rate-limit requests?

Yes

5. Anything else you block/filter on your DNS servers?

block/limit "any" queries
block/limit "root NS" queries
block anycast/broadcast source address packets
block fragmented packets

Anders_Lowinger2 · November 17, 2014, 10:49pm

4. Do you block non-UDP DNS requests or rate-limit requests?

Yes

Why? RFC5966 DNS Transport over TCP - Implementation Requirements

You make it very hard for DNSSEC

5. Anything else you block/filter on your DNS servers?

block fragmented packets

Why? You then block EDNS0, which DNSSEC uses. (UDP packets up to 4096 bytes,
then TCP)

/Anders

David_Conrad3 · November 18, 2014, 12:46am

3. Do you block >512 Bytes DNS requests?

How many > 512 byte DNS requests are people seeing?

Perhaps the requester meant > 512 byte DNS responses?

Blocking > 512 byte responses would be ... unfortunate.

4. Do you block non-UDP DNS requests or rate-limit requests?

Yes

I presume (hope) the "yes" applies rate limiting? Blocking non-UDP DNS is a bad idea. As RFC 5966 states: "... it should be noted that failure to support TCP (or the blocking of DNS over TCP at the network layer) may result in resolution failure and/or application-level timeouts."

block anycast/broadcast source address packets

How do you know if a source address is an anycast address?

block fragmented packets

Why would you want to block fragmented packets?

Regards,
-drc

Tony_Finch · November 18, 2014, 10:25am

2. Do you have an actual localhost zone that issues 127.0.0.1?

Yes. I think this is best practice though it isn't required by RFC 6303
and isn't set up by default in BIND like the empty reverse DNS zones.

3. Do you block >512 Bytes DNS requests?

512 byte requests are unlikely to be valid. Blocking >512 byte answers
breaks the DNS.

4. Do you block non-UDP DNS requests or rate-limit requests?

Blocking TCP requests breaks the DNS. See RFC 5966.

5. Anything else you block/filter on your DNS servers?

Have a look at these slides, especially the last 12 on mitigating abuse of
recursive servers.

http://www.isc.org/wp-content/uploads/2014/11/DNS-RRL-LISA14.pdf

Tony.