Unbound as public DNSSEC resolver

user20 · October 8, 2010, 1:53pm

Hello

i'm thinking of using unbound as public DNSSEC aware resolver with some spare resources on a already existing server. Therefore i'm looking for any hints how to harden it regarding resource limits and abuse against third party (DoS amplifier).

Thanks for any hints/comments

Andreas

user20 · October 8, 2010, 6:36pm

Ups, sorry. I forgot to disable S/MIME for the list-mail.

But the question remains:

What is "best practice" to limit the resources used and to be a good citizen when using unbound as public DNSSEC aware resolver, or is it no recommended at all?

Many Thanks

Andreas

user20 · October 13, 2010, 11:28am

Zitat von lst_hoe02@kwsoft.de:

Ups, sorry. I forgot to disable S/MIME for the list-mail.

But the question remains:

What is "best practice" to limit the resources used and to be a good citizen when using unbound as public DNSSEC aware resolver, or is it no recommended at all?

Still no answer for this one so i guess it is not recommended at all...

Regards

Andreas

Carsten_Strotmann1 · October 13, 2010, 11:48am

If "public" meant a DNS Resolver that can be used by anyone, without
restrictions to local clients/networks/ip addresses, than yes, it is a
bad thing and not recommended, because it can be used to attack other
hosts on the net (using DDOS attacks).

-- Carsten

Hauke_Lampe · October 13, 2010, 12:41pm

What is "best practice" to limit the resources used and to be a good
citizen when using unbound as public DNSSEC aware resolver, or is it
no recommended at all?

Still no answer for this one so i guess it is not recommended at all...

I guess the limits depend on what you think it takes to be a "good
citizen" and how many queries your resolvers usually receive.

I run a public Unbound resolver, mainly because my few mobile clients
call in from various networks and Unbound doesn't support TSIG.

I watch the resolver's munin graphs occasionally and set limits in the
munin configuration. Any larger spikes in query rate or network traffic
should trigger a warning by mail. The current threshold is set at about
10 times the average query rate (which is very low, anyway).

The usual amplification queries for ". NS" come in at <= 1 qps and are
hardly noticeable even on a lightly queried server. If you're concerned
about that and can live with denying priming queries to your clients,
you can drop those with an exact packet filter match.

Here's a u32 match expression for Linux netfilter:

-A FORWARD -i eth0 -j DROP -p udp --dport 53 -m u32 --u32 "0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"

HTH,
Hauke.

Olaf_Kolkman · October 13, 2010, 12:48pm

Best current practices are documented in RFC5358 "Preventing Use of Recursive Nameservers in Reflector Attacks"
http://tools.ietf.org/html/rfc5358

Key sentence there is:
By default, nameservers SHOULD NOT offer recursive service to
external networks.

but the document offers suggestions on what to do when you have public facing recursive service. (which boil down to 'know who you talk to')

Hope this helps.

--Olaf

user20 · October 13, 2010, 4:24pm

Zitat von lst_hoe02@kwsoft.de:

Zitat von lst_hoe02@kwsoft.de:

Ups, sorry. I forgot to disable S/MIME for the list-mail.

But the question remains:

What is "best practice" to limit the resources used and to be a good citizen when using unbound as public DNSSEC aware resolver, or is it no recommended at all?

Still no answer for this one so i guess it is not recommended at all...

Okay, so it boils down to the danger of being used as amplification in a DoS with spoofed UDP source IP addresses. I will see what can be done with ipt_recent and low resource settings to avoid DoS amplification as much as possible.

Thanks

Andreas

PaulWouters · October 13, 2010, 6:20pm

I disagree it is a bad thing. I run open resolvers on purpose as a service.
Just because some abuse happens does not make it evil.

If you say "unmaintained publiv DNS servers are bad" then I'll agree.

Apart from that, I think the botnets have reached sizes where DNS amplification
is really not that much of tool anymore to DOS a network link.

Paul

Kevin_Chadwick · October 13, 2010, 7:10pm

> If "public" meant a DNS Resolver that can be used by anyone, without
> restrictions to local clients/networks/ip addresses, than yes, it is a
> bad thing and not recommended

I disagree it is a bad thing. I run open resolvers on purpose as a service.
Just because some abuse happens does not make it evil.

I definately agree

If you say "unmaintained publiv DNS servers are bad" then I'll agree.

Apart from that, I think the botnets have reached sizes where DNS amplification
is really not that much of tool anymore to DOS a network link.

I see what your saying but I could never agree. Be prepared. Who's to
say all attackers have eyes for one network at a time. Someone took
down a whole country (russia is the accused) and cyber warfare is meant
to be on it's way. But like spam, as long as their are other dns
resolvers that are easier targets then they probably! won't bother with
you.