[Dnsmasq-discuss] dnsmasq to provide public DNS service

/dev/rob0 rob0 at gmx.co.uk
Wed Jul 6 14:43:56 BST 2016


On Sun, Jul 03, 2016 at 10:40:05PM +0000, T o n g wrote:
> On Sat, 02 Jul 2016 21:27:11 +0200, Albert ARIBAUD wrote:
> >> 
> >> And, yes, basically I'm creating an open DNS server, and since 
> >> nobody is doing that, I can't find any information on how to
> >> set it up properly.
> > 
> > Nobody should do that indeed, because it is a very bad idea:
> > your machine may then serve as an amplifier for DDoS attacks.
> 
> I'm more interested to know how to do that than actually provide 
> the DNS service. BTW, on to that thought, how the ISP or Google's 
> DNS server able to avoid being an amplifier for DDoS attacks?

Having some familiarity with this, I can address this question, while 
staying out of Albert's way as he valiantly tried to address the Big 
Picture. :)

First off, Google is an entirely different thing, having little in 
common with ISP recursive servers.  Well, not quite, as the attacks 
are the same, but the potential defenses are more limited.

See: https://en.wikipedia.org/wiki/Ingress_filtering

BCP 38 (and BCP 84 for upstream providers) can help quite a lot.
Basically if you know you're receiving a certain source IP address 
from the wrong place, you know it's a spoof, and drop it.

Unfortunately most ISPs and backbones have not implemented this, so 
the spammers & scammers spoof away.  An ISP has another tool, 
however: the firewall.  They maintain strict separation between 
recursive service for their own users and authoritative service for 
their own zones.

The latter are open to the world, and refuse recursion from 
everywhere.  The former are only open to their own networks, and 
those are the networks that would be allowed recursion.

Still, this is not enough, because an ISP of any size will be hosting 
botnets galore within their own address space.

Note that an internal botnet host spoofing an external IP address 
will be able to reach the recursive servers, but recursion would be 
refused.  That's good, but that still sends a REFUSED "reply" to the 
spoofed IP address.  So the recursive servers need a second layer of 
defense: a firewall which drops anything from outside their networks.
(It's also useful in large ISPs to subdivide networks into different 
parts, and to provide resolver farms which are limited to one part 
only, rather than open to the ISP's entire network.)

Now the ISP recursive servers are not participating in external 
amplification attacks, but what if the spoofed IP address was 
internal to that ISP?  So far there's no protection.  And here's 
where common ground exists between ISP resolvers and Google Public 
DNS.

https://kb.isc.org/article/AA-01304/
https://kb.isc.org/article/AA-01316/

Recursive client rate limiting is a relatively new feature in ISC 
BIND.  It's currently the best that can be done.  I strongly suspect 
that Google also implements a feature like this.

Running recursive nameservers for an ISP is a specialised job.  One 
should not take on that responsibility without adequate preparation 
and resources.

Running a "responsible" open resolver is even more specialised.
Google surely devotes quite a lot of expert manpower to the task.  I 
suspect they also are continually monitoring the service for spikes 
and other attack indicators.

Dnsmasq is a wonderful piece of software which does a very nice job 
at meeting the needs of most small, simple sites.  I do not think 
it's well suited for ISP use, and especially not for use as an open 
resolver.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:



More information about the Dnsmasq-discuss mailing list