From shane at time-travellers.org Wed May 1 14:28:34 2024 From: shane at time-travellers.org (Shane Kerr) Date: Wed, 1 May 2024 14:28:34 +0200 Subject: [dns-resolver-tf] Fwd: [ripe-list] DNS Resolver Recommendations Published (ripe-823) In-Reply-To: <81b42d0f-398d-4fbb-b0a3-8f738169150d@zu-hause.nl> References: <81b42d0f-398d-4fbb-b0a3-8f738169150d@zu-hause.nl> Message-ID: Hello fellow task force members, RIPE officially published our recommendations as a RIPE document today. With that, I consider our work on the task force done. Thank you all very much! I am working with three public resolver operators to put together a 25 minute session at the DNS working group at the upcoming RIPE meeting. We will be comparing the recommendations in the task force document with their actual operations, and hopefully digging into the differences or details in an interesting way. I think there will be more work in this area, whether that is in RIPE or in other forums, and I look forward to any chance to work with any of you in the future. Cheers, -- Shane -------------- next part -------------- An embedded message was scrubbed... From: Mirjam Kuehne Subject: [ripe-list] DNS Resolver Recommendations Published (ripe-823) Date: Wed, 01 May 2024 12:05:27 +0000 Size: 8135 URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x3732979CF967B306.asc Type: application/pgp-keys Size: 11519 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From shane at time-travellers.org Wed May 1 17:09:21 2024 From: shane at time-travellers.org (Shane Kerr) Date: Wed, 1 May 2024 17:09:21 +0200 Subject: [dns-resolver-tf] DNS Resolver Recommendations In-Reply-To: References: Message-ID: <81ab2030-6963-4738-996a-e4166c02d0d5@time-travellers.org> Hank, On 01/05/2024 15.27, Hank Nussbacher wrote: > > Under the section discussing Ingress Filtering you failed to discuss the > issue of fragment filtering. > > A very common and powerful DDoS attack is UDP fragment attack: > > https://ddos-guard.net/en/terms/ddos-attack-types/udp-fragmentation-flood > > The common thing many ISPs as well as enterprises do to mitigate the > attack is to block all fragments which on most servers has almost no > effect.? But on DNS and VPN servers, blocking fragments is fatal and > therefore a warning needs to be put into the doc that UDP fragments > should *never* be blocked to DNS servers - even when under fragment > attack.? See: > > https://puck.nether.net/pipermail/cisco-nsp/2023-December/108992.html > > for further details. Thanks for this! As mentioned in the thread there, using fragmentation avoidance should limit the need for fragments, which means blocking them should be basically okay. Fragmentation in DNS and how to avoid is is discussed in some detail in this IETF draft, which is referenced in the DNS Resovler Recommendations document: https://datatracker.ietf.org/doc/draft-ietf-dnsop-avoid-fragmentation/ Clients of resolvers will basically never send any large packets; although it is theoretically possible to build a valid query larger than 1232 bytes, in practice this is never seen. So no fragmented packets will arrive from there. Responses from authority servers should respect the EDNS0 buffer size and not fragment, although I suppose it is possible for some networks to have a smaller MTU than 1280 and want to fragment replies. In practice this should never happen either. So I think the right answer is to tune your DNS to avoid fragments, and then you can block them at will. ? IMHO, fragments in general are a badly designed and terribly insecure feature of IPv4 which was made worse when dragged into IPv6 and then made worse by removing the ability to fragment in the network itself. Blocking them seems like a good idea! Cheers, -- Shane -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x3732979CF967B306.asc Type: application/pgp-keys Size: 11519 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From hank at interall.co.il Wed May 1 15:27:20 2024 From: hank at interall.co.il (Hank Nussbacher) Date: Wed, 1 May 2024 16:27:20 +0300 Subject: [dns-resolver-tf] DNS Resolver Recommendations Message-ID: Hello. Under the section discussing Ingress Filtering you failed to discuss the issue of fragment filtering. A very common and powerful DDoS attack is UDP fragment attack: https://ddos-guard.net/en/terms/ddos-attack-types/udp-fragmentation-flood The common thing many ISPs as well as enterprises do to mitigate the attack is to block all fragments which on most servers has almost no effect.? But on DNS and VPN servers, blocking fragments is fatal and therefore a warning needs to be put into the doc that UDP fragments should *never* be blocked to DNS servers - even when under fragment attack.? See: https://puck.nether.net/pipermail/cisco-nsp/2023-December/108992.html for further details. Regards, Hank