On 1/23/19 2:08 PM, Thomas Mieslinger wrote: > Lets take the output of > > dig +dnssec aaaa ns-de.ui-dns.de @a.nic.de > > as an example. If the additional section was tweaked, pdns_recursor has > no real chance to detect this.
That's actually a very good example because unless I'm mistaken, every single one NS in the set requires a glue to be usable. > Asking all other authoritative servers from the authority section is > already done if I interpret the output of rec_control trace-regex > correctly. A well prepared attacker should be able to tweak the > additional section of the other delegating nameservers too, so that an > attacked pdns_recursor ends up with something other than > ns-de.ui-dns.de. A 217.160.80.193 in the cache. > > So I either filter away fragments (for the recursors) or I dnssec sign > ui-dns.de (on my authoritative servers) to be safe. You can filter away fragments but I'm afraid this will lead to timeouts, or even to some domains not resolving anymore. Most of the countermeasures are applicable to the authoritative servers, and there isn't a lot one can do on the recursor's side. One option is to lower the value of edns-outgoing-bufsize enough to reduce the likelihood of getting fragmented answers in the first place, which is what are doing by default in the (not yet released) 4.2.0 version, see [1], but you can also apply that setting today. Lowering that value too much will lead to issues with authoritative servers that do not handle queries over TCP, as Let's Encrypt recently learned the hard way after switching to 512 bytes. We are also experimenting with the scrubbing of most of the additional records for 4.2.0, see [2], but we still need to accept some of these so this is never going to perfectly prevent that issue. Signing your domain with DNSSEC will prevent spoofed answers, but will unfortunately not prevent a DoS since the glue records are not signed. I'm afraid there is no silver bullet, although some measures can be deployed to reduce the risk. [1]: https://github.com/PowerDNS/pdns/pull/7307 [2]: https://github.com/PowerDNS/pdns/pull/7404 Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
