[Chugalug] Signing DNS Queries

Dave Brockman dave at brockmans.com
Wed Sep 4 21:40:48 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/4/2013 2:43 PM, David White wrote:
> True, most, if not all reputable ISPs are already configured to
> deny DNS requests from IP addresses that are outside their network.
> The problem is that many times, DNS amplification attacks are using
> spoofed IP addresses.

Then those ISPs should properly ACL their border routers and BGP
peers...  Only a handful of transport network providers truly need
"permit ip any any" at their borders, and being transport ISPs, they
aren't normally supplying user type services such as DNS, SMTP, etc.
I agree with you there are problems, but the DNS amplification attacks
you are discussing are symptoms of a much larger issue.

> So the attacker spoofs an IP address, the request hits the
> resolver, the resolver responds back to the /real/ IP address (home
> router), and that home router then sends another response out.

Where is the home router going to send the response in the above
scenario?  I don't think you understand how this amplification attack
actually works....

> So my idea is, essentially, to add another layer to the "restrict 
> resolvers to their network only" requirement and add a 2nd degree
> of verification - i.e. ensuring that the client making the request
> to the resolver is who he says he is.

If the "restrict resolvers to their network only" part was done
correctly *at the network layer* (Border Router), the other layer is
not necessary.  And you are suggesting an identifier beyond an IP
address tied to a DNS request.  Just think of the "probable cause"
that would supply to the wrong hands.

Regards,

dtb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSJ6jgAAoJEMP+wtEOVbcd1z0H/20QnRUY+rJ7REsmK8adp68l
DWWcUooqcetPBZMQPhHC2aKHgSool4B0y4AMK17L4dCRjETcU4xX5VdRPQjuVG3f
dxCdgzKz9lDeRssq/szQjJ+0UKGOPy0ZrERs42Vcc65P7iVvvq9v05ZC9guO1U1g
2Gqo7ZDMkOerSrteP51Fe6QTgdKIdcy4k0lJdiyNjg+I6IJfu0Udok6nfO3IHzNx
eAahPaNtob+q25S8YlwcovUNHjYHu6C1e6SvQDKa2ogY9+0ThPmTkI5CSZAsjw8f
4M6akASzpTtf07mfh8yIvMkFlnbF7OYQ+CM8vytBYCcMAXTEf2pF/1drdLZvkkk=
=lczg
-----END PGP SIGNATURE-----


More information about the Chugalug mailing list