[Dnsmasq-discuss] dnsmasq to provide public DNS service
rob0 at gmx.co.uk
Wed Jul 6 14:43:56 BST 2016
On Sun, Jul 03, 2016 at 10:40:05PM +0000, T o n g wrote:
> On Sat, 02 Jul 2016 21:27:11 +0200, Albert ARIBAUD wrote:
> >> And, yes, basically I'm creating an open DNS server, and since
> >> nobody is doing that, I can't find any information on how to
> >> set it up properly.
> > Nobody should do that indeed, because it is a very bad idea:
> > your machine may then serve as an amplifier for DDoS attacks.
> I'm more interested to know how to do that than actually provide
> the DNS service. BTW, on to that thought, how the ISP or Google's
> DNS server able to avoid being an amplifier for DDoS attacks?
Having some familiarity with this, I can address this question, while
staying out of Albert's way as he valiantly tried to address the Big
First off, Google is an entirely different thing, having little in
common with ISP recursive servers. Well, not quite, as the attacks
are the same, but the potential defenses are more limited.
BCP 38 (and BCP 84 for upstream providers) can help quite a lot.
Basically if you know you're receiving a certain source IP address
from the wrong place, you know it's a spoof, and drop it.
Unfortunately most ISPs and backbones have not implemented this, so
the spammers & scammers spoof away. An ISP has another tool,
however: the firewall. They maintain strict separation between
recursive service for their own users and authoritative service for
their own zones.
The latter are open to the world, and refuse recursion from
everywhere. The former are only open to their own networks, and
those are the networks that would be allowed recursion.
Still, this is not enough, because an ISP of any size will be hosting
botnets galore within their own address space.
Note that an internal botnet host spoofing an external IP address
will be able to reach the recursive servers, but recursion would be
refused. That's good, but that still sends a REFUSED "reply" to the
spoofed IP address. So the recursive servers need a second layer of
defense: a firewall which drops anything from outside their networks.
(It's also useful in large ISPs to subdivide networks into different
parts, and to provide resolver farms which are limited to one part
only, rather than open to the ISP's entire network.)
Now the ISP recursive servers are not participating in external
amplification attacks, but what if the spoofed IP address was
internal to that ISP? So far there's no protection. And here's
where common ground exists between ISP resolvers and Google Public
Recursive client rate limiting is a relatively new feature in ISC
BIND. It's currently the best that can be done. I strongly suspect
that Google also implements a feature like this.
Running recursive nameservers for an ISP is a specialised job. One
should not take on that responsibility without adequate preparation
Running a "responsible" open resolver is even more specialised.
Google surely devotes quite a lot of expert manpower to the task. I
suspect they also are continually monitoring the service for spikes
and other attack indicators.
Dnsmasq is a wonderful piece of software which does a very nice job
at meeting the needs of most small, simple sites. I do not think
it's well suited for ISP use, and especially not for use as an open
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
More information about the Dnsmasq-discuss