Message ID | 2ed9b3f6-28eb-3922-5501-f431df64e5ba@ipfire.org |
---|---|
State | Rejected |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HGh3N1rvzz3x1J for <patchwork@web04.haj.ipfire.org>; Sat, 25 Sep 2021 07:53:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HGh3L47zRz6nJ; Sat, 25 Sep 2021 07:53:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HGh3L2NDXz2yDs; Sat, 25 Sep 2021 07:53:18 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HGh3J686Nz2yDs for <development@lists.ipfire.org>; Sat, 25 Sep 2021 07:53:16 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HGh3H57Qbz14b for <development@lists.ipfire.org>; Sat, 25 Sep 2021 07:53:15 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1632556396; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MvquuRSscNcXJCF7/3hisLa7yOUD10+I7WnwixwvtYY=; b=be8LfJfoYpJOW9cfvQFbR4KQia1B2iunBuQT7wzVNH2Aioj/LbDVP1ohejiR9mizzAxLM4 /ayyI/DJTRyCdHDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1632556396; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MvquuRSscNcXJCF7/3hisLa7yOUD10+I7WnwixwvtYY=; b=t4fqV/rbHyfryFFBP6xNrjx+wutfYDTIku4bMgve9X40eC/dpxMW+GDOrXFtecnhvSSPE4 EWgcOJdCFr7n0CQ0zFS2SYSzsMP1ZzLJTF1eb9YqeIol0LZLKKi7cU2XcuNVTAJLBb996Y WoSZO0WHGhMeeMeSD2k+lPFaXdqOIkgk9EsleYJ5UgzNV8xU6k2L4o1Qu51+BsyC1bGDgV 4k/1bQLdS6wg5f2ekuMgntLldyzPKklKsi7ArbwT6xSVguJqwKPNFMVxS7DVUX/vJAG/wz 6bg4qfoTVuZpgZX0D+bcgJuMalVeMEBj8r8xhgWbI0oCZgWbxFt/tu4wTgYz/w== To: "IPFire: Development" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: [RFC PATCH] Unbound: Deny DNS queries of type ANY Message-ID: <2ed9b3f6-28eb-3922-5501-f431df64e5ba@ipfire.org> Date: Sat, 25 Sep 2021 09:53:13 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
[RFC] Unbound: Deny DNS queries of type ANY
|
|
Commit Message
Peter Müller
Sept. 25, 2021, 7:53 a.m. UTC
While not inherently malicious, ANY queries are nowadays commonly used
in DNS-based DDoS attacks, since nameservers must respond with a _very_
large answer to a very small query.
In 2015, Cloudflare stopped responding to them altogether (see:
https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/), and
several discussions took place in various DNS operator working groups,
ultimately resulting in RFC 8482 (https://datatracker.ietf.org/doc/html/rfc8482).
Aside from - very uncommon - debugging or enumerating purposes, there is
little legitimate reason why a client behind IPFire needs to conduct an
ANY query. In fact, no up-to-date implementation of some legitimate software
has been observed doing so in the recent past.
To prevent IPFire from unintentionally participating in a DDoS attack,
this patch changes the handling of ANY queries, forbidding them
altogether.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/unbound/unbound.conf | 1 +
1 file changed, 1 insertion(+)
Comments
Acked-by : Bernhard Bitsch <bbitsch@ipfire.org> Am 25.09.2021 um 09:53 schrieb Peter Müller: > While not inherently malicious, ANY queries are nowadays commonly used > in DNS-based DDoS attacks, since nameservers must respond with a _very_ > large answer to a very small query. > > In 2015, Cloudflare stopped responding to them altogether (see: > https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/), and > several discussions took place in various DNS operator working groups, > ultimately resulting in RFC 8482 (https://datatracker.ietf.org/doc/html/rfc8482). > > Aside from - very uncommon - debugging or enumerating purposes, there is > little legitimate reason why a client behind IPFire needs to conduct an > ANY query. In fact, no up-to-date implementation of some legitimate software > has been observed doing so in the recent past. > > To prevent IPFire from unintentionally participating in a DDoS attack, > this patch changes the handling of ANY queries, forbidding them > altogether. > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/unbound/unbound.conf | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf > index 9d5e840dd..3848b0f71 100644 > --- a/config/unbound/unbound.conf > +++ b/config/unbound/unbound.conf > @@ -40,6 +40,7 @@ server: > harden-large-queries: yes > harden-referral-path: yes > aggressive-nsec: yes > + deny-any: yes > > # TLS > tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt >
Hello Bernhard, thanks for your reply. Due to the extra space, Patchwork did not parse it. Therefore, I take the liberty to: Acked-by: Bernhard Bitsch <bbitsch@ipfire.org> :-) Thanks, and best regards, Peter Müller > Acked-by : Bernhard Bitsch <bbitsch@ipfire.org> > > Am 25.09.2021 um 09:53 schrieb Peter Müller: >> While not inherently malicious, ANY queries are nowadays commonly used >> in DNS-based DDoS attacks, since nameservers must respond with a _very_ >> large answer to a very small query. >> >> In 2015, Cloudflare stopped responding to them altogether (see: >> https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/), and >> several discussions took place in various DNS operator working groups, >> ultimately resulting in RFC 8482 (https://datatracker.ietf.org/doc/html/rfc8482). >> >> Aside from - very uncommon - debugging or enumerating purposes, there is >> little legitimate reason why a client behind IPFire needs to conduct an >> ANY query. In fact, no up-to-date implementation of some legitimate software >> has been observed doing so in the recent past. >> >> To prevent IPFire from unintentionally participating in a DDoS attack, >> this patch changes the handling of ANY queries, forbidding them >> altogether. >> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> config/unbound/unbound.conf | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf >> index 9d5e840dd..3848b0f71 100644 >> --- a/config/unbound/unbound.conf >> +++ b/config/unbound/unbound.conf >> @@ -40,6 +40,7 @@ server: >> harden-large-queries: yes >> harden-referral-path: yes >> aggressive-nsec: yes >> + deny-any: yes >> # TLS >> tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt >>
Hello, I would like to NACK this change. > On 25 Sep 2021, at 08:53, Peter Müller <peter.mueller@ipfire.org> wrote: > > While not inherently malicious, ANY queries are nowadays commonly used > in DNS-based DDoS attacks, since nameservers must respond with a _very_ > large answer to a very small query. ANY requests are definitely very common, but they are not the only record type being used for this. > In 2015, Cloudflare stopped responding to them altogether (see: > https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/), and > several discussions took place in various DNS operator working groups, > ultimately resulting in RFC 8482 (https://datatracker.ietf.org/doc/html/rfc8482). Yes sure. Why would Cloudflare try to fix things when there is a much cheaper alternative? Just turning everything off. > Aside from - very uncommon - debugging or enumerating purposes, there is > little legitimate reason why a client behind IPFire needs to conduct an > ANY query. In fact, no up-to-date implementation of some legitimate software > has been observed doing so in the recent past. Indeed clients (if every) send an ANY query. However, debugging DNS is a common operation and sending an ANY query helps to figure out any problems very quickly. I would therefore like to NACK this proposal because we are basically destroying DNS here. We are making it harder for users to use and debug their DNS system. I am personally affected by this change. I also do not see any benefit here. IPFire’s DNS system isn’t designed to be publicly accessible on the internet. If people decide to do so, then it requires more configuration and they are welcome to add this configuration line to filter ANY requests, too - do they wish so. > To prevent IPFire from unintentionally participating in a DDoS attack, > this patch changes the handling of ANY queries, forbidding them > altogether. This change isn’t helping anyone. Maybe Cloudflare wants to look like the “good guy”, but filtering ANY requests doesn’t change anything. What about DNSSEC-signed responses? They would be larger and make an amplification attack possible. What about TXT records? Are we going to filter them next if they are longer than the query packet? That probably would destroy DMARC, DKIM, SPF, IPSECKEY, SSHFP and many many other applications. It is a common thing on the internet to send a small query and receive a bigger response. It is part of its nature. However blocking that is only destroying our protocols which become limited in their application. I could live with a rate-limiting which is what the Lightning Wire Labs DNS service is applying. That way, debugging is still possible, and abusing the service isn’t. There is also rate-limiting on all other record types, just not as strict as on ANY queries. -Michael > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/unbound/unbound.conf | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf > index 9d5e840dd..3848b0f71 100644 > --- a/config/unbound/unbound.conf > +++ b/config/unbound/unbound.conf > @@ -40,6 +40,7 @@ server: > harden-large-queries: yes > harden-referral-path: yes > aggressive-nsec: yes > + deny-any: yes > > # TLS > tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt > -- > 2.26.2
Hello, after reading Michael's annotations, I must agree to his arguments. So I reject my ACK. Regards, Bernhard Am 28.09.2021 um 12:53 schrieb Michael Tremer: > Hello, > > I would like to NACK this change. > >> On 25 Sep 2021, at 08:53, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> While not inherently malicious, ANY queries are nowadays commonly used >> in DNS-based DDoS attacks, since nameservers must respond with a _very_ >> large answer to a very small query. > > ANY requests are definitely very common, but they are not the only record type being used for this. > >> In 2015, Cloudflare stopped responding to them altogether (see: >> https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/), and >> several discussions took place in various DNS operator working groups, >> ultimately resulting in RFC 8482 (https://datatracker.ietf.org/doc/html/rfc8482). > > Yes sure. Why would Cloudflare try to fix things when there is a much cheaper alternative? Just turning everything off. > >> Aside from - very uncommon - debugging or enumerating purposes, there is >> little legitimate reason why a client behind IPFire needs to conduct an >> ANY query. In fact, no up-to-date implementation of some legitimate software >> has been observed doing so in the recent past. > > Indeed clients (if every) send an ANY query. However, debugging DNS is a common operation and sending an ANY query helps to figure out any problems very quickly. > > I would therefore like to NACK this proposal because we are basically destroying DNS here. We are making it harder for users to use and debug their DNS system. I am personally affected by this change. > > I also do not see any benefit here. IPFire’s DNS system isn’t designed to be publicly accessible on the internet. If people decide to do so, then it requires more configuration and they are welcome to add this configuration line to filter ANY requests, too - do they wish so. > >> To prevent IPFire from unintentionally participating in a DDoS attack, >> this patch changes the handling of ANY queries, forbidding them >> altogether. > > This change isn’t helping anyone. Maybe Cloudflare wants to look like the “good guy”, but filtering ANY requests doesn’t change anything. What about DNSSEC-signed responses? They would be larger and make an amplification attack possible. What about TXT records? Are we going to filter them next if they are longer than the query packet? That probably would destroy DMARC, DKIM, SPF, IPSECKEY, SSHFP and many many other applications. > > It is a common thing on the internet to send a small query and receive a bigger response. It is part of its nature. However blocking that is only destroying our protocols which become limited in their application. > > I could live with a rate-limiting which is what the Lightning Wire Labs DNS service is applying. That way, debugging is still possible, and abusing the service isn’t. There is also rate-limiting on all other record types, just not as strict as on ANY queries. > > -Michael > >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> config/unbound/unbound.conf | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf >> index 9d5e840dd..3848b0f71 100644 >> --- a/config/unbound/unbound.conf >> +++ b/config/unbound/unbound.conf >> @@ -40,6 +40,7 @@ server: >> harden-large-queries: yes >> harden-referral-path: yes >> aggressive-nsec: yes >> + deny-any: yes >> >> # TLS >> tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt >> -- >> 2.26.2 >
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 9d5e840dd..3848b0f71 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -40,6 +40,7 @@ server: harden-large-queries: yes harden-referral-path: yes aggressive-nsec: yes + deny-any: yes # TLS tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt