[Chugalug] Signing DNS Queries
dave at brockmans.com
Wed Sep 4 21:40:48 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 9/4/2013 2:43 PM, David White wrote:
> True, most, if not all reputable ISPs are already configured to
> deny DNS requests from IP addresses that are outside their network.
> The problem is that many times, DNS amplification attacks are using
> spoofed IP addresses.
Then those ISPs should properly ACL their border routers and BGP
peers... Only a handful of transport network providers truly need
"permit ip any any" at their borders, and being transport ISPs, they
aren't normally supplying user type services such as DNS, SMTP, etc.
I agree with you there are problems, but the DNS amplification attacks
you are discussing are symptoms of a much larger issue.
> So the attacker spoofs an IP address, the request hits the
> resolver, the resolver responds back to the /real/ IP address (home
> router), and that home router then sends another response out.
Where is the home router going to send the response in the above
scenario? I don't think you understand how this amplification attack
> So my idea is, essentially, to add another layer to the "restrict
> resolvers to their network only" requirement and add a 2nd degree
> of verification - i.e. ensuring that the client making the request
> to the resolver is who he says he is.
If the "restrict resolvers to their network only" part was done
correctly *at the network layer* (Border Router), the other layer is
not necessary. And you are suggesting an identifier beyond an IP
address tied to a DNS request. Just think of the "probable cause"
that would supply to the wrong hands.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Chugalug