FW: Open Resolver Problems

Most of our DSL customers have modem/routers that resolve DNS
externally.
And most of those have no configuration option to stop it.
So, we took the unfortunate step of ACL blocking DNS requests to & from
the DSL network unless the requests are to our DNS servers.

Suboptimal, but it stopped the DNS amplification attacks.

I was going to suggest exactly this.

Don't most broadband networks have a line in their AUP about running servers? Wouldn't a DNS server count as 'a server'? Then wouldn't running one violate the AUP?

This gives the provider a hammer to hit the user over the head. Although that is quite unlikely, so the better point is that it also gives the provider cover in case some user complains about the provider filtering.

You can always make an exception if the user is extremely loud.

It might be a good idea to make pinholes for the Google and OpenDNS recursors, as they're fairly popular.

I agree that this is a good idea, similar to the same sort of network access policy as relates to SMTP.

Ahhh, silly of me, I read the post form Milt too quickly.

I was going to suggest queries _into_ the broadband user space, not out of. If you only block into, OpenDNS, GoogleDNS, etc. are not an issue.

Blocking could be done with DPI. It can also be done by blocking UDP port 53. (Don't need to block TCP53 since that removes the amplification problem.) However, there are some (idiotic) name servers that do 53<>53. Not sure how to handle those, or more importantly, how many broadband customers legitimately use an off-net _and_ brain-dead name server? And even if they do, will they fall back to TCP?

Of course, since users shouldn't be using off-net name servers anyway, this isn't really a problem! :slight_smile:

;>

It's easy enough to construct ACLs to restrict the broadband consumer access networks from doing so. Additional egress filtering would catch any reflected attacks, per your previous comments.

Most of our DSL customers have modem/routers that resolve DNS externally.
And most of those have no configuration option to stop it.
So, we took the unfortunate step of ACL blocking DNS requests to & from the DSL network unless the requests are to our DNS servers.

Suboptimal, but it stopped the DNS amplification attacks.

Wow. Glad I'm not a customer of yours.

* patrick@ianai.net (Patrick W. Gilmore) [Mon 01 Apr 2013, 18:04 CEST]:

I was going to suggest exactly this.

Don't most broadband networks have a line in their AUP about running servers?

Huh? No. Thankfully. Not all of us are mindless consumers.

  -- Niels.

* patrick@ianai.net (Patrick W. Gilmore) [Mon 01 Apr 2013, 18:18 CEST]:

Of course, since users shouldn't be using off-net name servers anyway, this isn't really a problem! :slight_smile:

You're joking, right? Should they also use only the telco-approved search engine, via the telco-hosted portal?

  -- Niels.

Most of our DSL customers have modem/routers that resolve DNS externally.
And most of those have no configuration option to stop it.
So, we took the unfortunate step of ACL blocking DNS requests to & from the DSL network unless the requests are to our DNS servers.

Suboptimal, but it stopped the DNS amplification attacks.

Wow. Glad I'm not a customer of yours.

I would say this is the wrong solution. Prevent your customers from spoofing is the first step, then ask them to fix their broken CPE.

If NETGEAR is listening on the WAN side vs the LAN/INSIDE they need to step up and issue fixed firmware, even if the device is older. Should be a simple fix.

* patrick@ianai.net (Patrick W. Gilmore) [Mon 01 Apr 2013, 18:04 CEST]:

I was going to suggest exactly this.

Don't most broadband networks have a line in their AUP about running servers?

Huh? No. Thankfully. Not all of us are mindless consumers.

I think it's easier to just classify an open-resolver similar to an open-relay without having to invoke the consumer mindset.

- Jared

* jared@puck.nether.net (Jared Mauch) [Mon 01 Apr 2013, 22:24 CEST]:

I would say this is the wrong solution. Prevent your customers from spoofing is the first step, then ask them to fix their broken CPE.

I daresay that after ten years of discussion NANOG has reached consensus that implementing BCP38 is a good thing and that all networks should be encouraged to do so.

Net neutrality has not been discussed completely to death yet but I'm pretty confident in stating that squeezing consumer connections further down each time some blog hypes up yet another "The Internet is melting!" threat won't scale.

If NETGEAR is listening on the WAN side vs the LAN/INSIDE they need to step up and issue fixed firmware, even if the device is older. Should be a simple fix.

I don't think anybody would disagree with this statement. Netgear did get into action when they DDoS'ed a university's NTP servers; perhaps similar sticks can be shaken in this case.

(Is Netgear one of the brands involved? Usually they're better.
  Pardon me for not reading the whole thread and the other five)

I think it's easier to just classify an open-resolver similar to an open-relay without having to invoke the consumer mindset.

Two posts up in this thread we were talking about net-wide blocks without individual proof of open relay or equivalent status.

  -- Niels.

And only the telco approved web sites are accessible, and the only protocol supported is the telco approved http and then only to port 80 ...

* patrick@ianai.net (Patrick W. Gilmore) [Mon 01 Apr 2013, 18:18 CEST]:
>Of course, since users shouldn't be using off-net name servers
>anyway, this isn't really a problem! :slight_smile:

You're joking, right? Should they also use only the telco-approved
search engine, via the telco-hosted portal?

Far too many (perhaps not Patrick) in this thread are not joking. Laughter
gets stuck in my throat, as we say in Sweden. Having proper Internet
access is more and more a privilege for the Internet gentry that are
clued and able to pay for a box in a colo or similar.

The unwashed masses are left with "broadband" We can't call it "Internet"
because there are a few raving graybeards that claim they invented it
and intended it to be two-way instead of stuffing .flv down peoples
facebook-viewing devices while also supplanting cable TV with demand
streaming.

</rant>

What percentage of the SOHO NAT boxes actually are full-service
resolvers? I was under the impression that most were mere forwarders; just
pushing queries on toward the DHCP'd full service resolvers of the ISP.

Actually a lot don't have such a line. Such lines are tantamount
to extortion especially if the ISP supplies commercial grade lines.

That said blocking by default with the option to open it up on
request, the same as smtp is opened on request, might be viable.

Patrick's talking about consumer broadband access. Such AUP stipulations are quite common.

This is in no way 'tantamount to extortion'. Folks can either accept the AUP, or choose not to enter into a contract for the service in question under those conditions; there is no compulsion or coercion to do so.

> Such lines are tantamount to extortion especially if the ISP supplies
commercial grade lines.

Patrick's talking about consumer broadband access. Such AUP stipulations
are quite common.

I know and I would still argue that they are tantamount to extortion.

This is in no way 'tantamount to extortion'. Folks can either accept the
AUP, or choose not to enter into a contract for the service in question
under those conditions; there is no compulsion or coercion to do so.

So the home user that want to run a server now has to pay for COLO
or pay the ISP for it commercial line that is delivered over the
same physical circuit for extra dollars which gets what? Maybe a
upgraded SLA and maybe some static addresses.

There is no coercion involved, so, by definition, it can't be called 'extortion'. If you don't like the AUP, don't sign up for the service - simple as that.

Hyperbole isn't generally helpful.

;>

In an oligopoly situation, that's hardly a valid set of choices and is tantamount to extortion.

Owen

Yeah, I thought so, too, but apparently the FCC and the SEC hasn't
seen it that way for the past 20 years. Go figure. :slight_smile:

- ferg

In an oligopoly situation, that's hardly a valid set of choices

There's enough choice in most US markets (not all) to provide for a variety of services offered, AUPs, and price points. Wireless has brought an additional option to many previously underserved areas.

and is tantamount to extortion.

Again, hyperbole doesn't help.

Another solution is to move to an area with more/better connectivity options, as some folks move in order to be zoned within a particular school district.

;>

The situation is gradually getting better, not worse - and that's progress, even if it isn't as fast as we'd all like.

Yeah, I thought so, too, but apparently the FCC and the SEC hasn't
seen it that way for the past 20 years. Go figure. :slight_smile:

The FCC doesn't understand that 4Mbps customer-facing speed on the tail circuit alone does NOT define broadband in a meaningful way.

The SEC does not understand that IPv4 risk and the lack of an IPv6 strategy should be a required risk consideration in a Sarbanes Oxley filing.

I have little hope that these particular federal agencies will ever agree with me about such nuanced issues.

Owen