Allow DROP'ing requests that would result in DENIED responses
Description
There has been an increase over the last few years of abusing nameservers for DNS amplification attacks - or even just to send data to target IP addresses. One I've seen documented lately in wide use is a RRSIG request for pizzaseo.com. Even if you send back a DENIED response, you still add 30 bytes per response to the forged targets.
There seems to be a patch for an older version of BIND that will swap out REFUSED responses with a DROP, eg:
--- bind9-9.9.5.dfsg/bin/named/query.c.orig Thu Aug 6 21:56:57 2020
+++ bind9-9.9.5.dfsg/bin/named/query.c Thu Aug 6 22:08:15 2020
@@ -1038,7 +1038,7 @@
sizeof(msg));
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_QUERY, ISC_LOG_INFO,
- "%s denied", msg);
+ "%s dropped", msg);
}
/*
* We've now evaluated the view's query ACL, and
@@ -5809,8 +5809,9 @@
} else
inc_stats(client, dns_nsstatscounter_authrej);
if (!PARTIALANSWER(client))
- QUERY_ERROR(DNS_R_REFUSED);
- } else
+ // QUERY_ERROR(DNS_R_REFUSED);
+ QUERY_ERROR(DNS_R_DROP);
+ } else
QUERY_ERROR(DNS_R_SERVFAIL);
goto cleanup;
}
# diff -u query.c.orig query.c
Request
It would be nice to have an option in the named.conf configuration schema that would allow to DROP replies for denied / refused queries and not respond to potential attackers at all.
A wrongly targeted client would simply time out on the DNS lookup instead of getting an immediate DENIED response, which wouldn't be the end of the world making the risk somewhat minimal. Authoritative or allowed queries would still happen as per normal.
Links / references
https://www.linkedin.com/pulse/stop-feeding-pizza-ddos-dns-attack-jason-muskat