[Pdns-users] pdns_recursor and records in additional section of replies

Remi Gacogne remi.gacogne at powerdns.com
Wed Jan 23 15:31:41 UTC 2019


On 1/23/19 2:08 PM, Thomas Mieslinger wrote:
> Lets take the output of
> 
> dig +dnssec aaaa ns-de.ui-dns.de @a.nic.de
> 
> as an example. If the additional section was tweaked, pdns_recursor has
> no real chance to detect this.

That's actually a very good example because unless I'm mistaken, every
single one NS in the set requires a glue to be usable.

> Asking all other authoritative servers from the authority section is
> already done if I interpret the output of rec_control trace-regex
> correctly. A well prepared attacker should be able to tweak the
> additional section of the other delegating nameservers too, so that an
> attacked pdns_recursor ends up with something other than
> ns-de.ui-dns.de.    A 217.160.80.193 in the cache.
> 
> So I either filter away fragments (for the recursors) or I dnssec sign
> ui-dns.de (on my authoritative servers) to be safe.

You can filter away fragments but I'm afraid this will lead to timeouts,
or even to some domains not resolving anymore. Most of the
countermeasures are applicable to the authoritative servers, and there
isn't a lot one can do on the recursor's side.
One option is to lower the value of edns-outgoing-bufsize enough to
reduce the likelihood of getting fragmented answers in the first place,
which is what are doing by default in the (not yet released) 4.2.0
version, see [1], but you can also apply that setting today. Lowering
that value too much will lead to issues with authoritative servers that
do not handle queries over TCP, as Let's Encrypt recently learned the
hard way after switching to 512 bytes.

We are also experimenting with the scrubbing of most of the additional
records for 4.2.0, see [2], but we still need to accept some of these so
this is never going to perfectly prevent that issue.

Signing your domain with DNSSEC will prevent spoofed answers, but will
unfortunately not prevent a DoS since the glue records are not signed.

I'm afraid there is no silver bullet, although some measures can be
deployed to reduce the risk.

[1]: https://github.com/PowerDNS/pdns/pull/7307
[2]: https://github.com/PowerDNS/pdns/pull/7404

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190123/7a5832ca/attachment.sig>


More information about the Pdns-users mailing list