Mitigation of server's load by queries for non-existing domains

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Mitigation of server's load by queries for non-existing domains

Tomas Hozza
Hello all.

Recently I was trying to find a mechanism in BIND that could prevent the server from processing a recursive query for non-existing domains. The issue I was trying to solve was that when server was getting too many queries for such domains it was not able to handle other relevant queries. The non-exiting domains have just few common non-existing parent domains, so one can match most of them by wildcard RR.

I was thinking about using RPZ with QNAME policy trigger, but this applies only to the responses to queries and still makes the server to try to resolve it. As far as I'm familiar with RRL, it will also not help, since it also applies to the response to a query.

One possible solution that came to my mind was to define a zone for each of the "parent" domains and then just return localhost address or something similar to any query to that domain. I know this is kind of dummy, but this was the first thing that came to my mind. I know the server will still process the query, but will at least not do any recursion.

Is there any better mechanism to solve such problem?

Thank you in advance.

Regards,
Tomas
--
Tomas Hozza
Senior Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
UTC+1 (CET)
Red Hat Inc.                 http://cz.redhat.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Mitigation of server's load by queries for non-existing domains

Tony Finch
Tomas Hozza <[hidden email]> wrote:
>
> Recently I was trying to find a mechanism in BIND that could prevent the
> server from processing a recursive query for non-existing domains.

Have a look at https://www.isc.org/blogs/tldr-resolver-ddos-mitigation/

> I was thinking about using RPZ with QNAME policy trigger, but this
> applies only to the responses to queries and still makes the server to
> try to resolve it.

RPZ has a "qname-wait-recurse no" option.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Rockall, Malin: Northwest becoming cyclonic later, 5 to 7 occasionally gale 8
at first. Rough or very rough, becoming moderate or rough. Rain or showers.
Moderate or good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Mitigation of server's load by queries for non-existing domains

Mukund Sivaraman
In reply to this post by Tomas Hozza
Hi Tomas

On Tue, Jan 12, 2016 at 05:53:20PM +0100, Tomas Hozza wrote:
> Hello all.
>
> Recently I was trying to find a mechanism in BIND that could prevent
> the server from processing a recursive query for non-existing
> domains. The issue I was trying to solve was that when server was
> getting too many queries for such domains it was not able to handle
> other relevant queries. The non-exiting domains have just few common
> non-existing parent domains, so one can match most of them by wildcard
> RR.

The attack you are describing is probably the well-known-by-now attack
called "water torture" or "random subdomain" attack. If you search for
these phrases, you'll see several presentations made on the topic.

> I was thinking about using RPZ with QNAME policy trigger, but this
> applies only to the responses to queries and still makes the server to
> try to resolve it. As far as I'm familiar with RRL, it will also not
> help, since it also applies to the response to a query.
>
> One possible solution that came to my mind was to define a zone for
> each of the "parent" domains and then just return localhost address or
> something similar to any query to that domain. I know this is kind of
> dummy, but this was the first thing that came to my mind. I know the
> server will still process the query, but will at least not do any
> recursion.
>
> Is there any better mechanism to solve such problem?
This is an on-going problem for DNS and several measures are being
considered:

Making aggressive use of NSEC/NSEC3:
https://tools.ietf.org/html/draft-fujiwara-dnsop-nsec-aggressiveuse-01

Bloom filtering from queries:
https://github.com/hdais/unbound-bloomfilter

Evan Hunt is considering proposing another bloom filtering method by
using a bloom bitfield RR. We are thinking of what else could help,
including tagging of malware clients via RPZ zones provided by relevant
feed providers.

There are some measures in 9.10.3 (read about "fetches-per-server" and
"fetches-per-zone" in the ARM).

                Mukund

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Mitigation of server's load by queries for non-existing domains

Tomas Hozza
In reply to this post by Tony Finch
On 12.01.2016 18:16, Tony Finch wrote:

> Tomas Hozza <[hidden email]> wrote:
>>
>> Recently I was trying to find a mechanism in BIND that could prevent the
>> server from processing a recursive query for non-existing domains.
>
> Have a look at https://www.isc.org/blogs/tldr-resolver-ddos-mitigation/
>
>> I was thinking about using RPZ with QNAME policy trigger, but this
>> applies only to the responses to queries and still makes the server to
>> try to resolve it.
>
> RPZ has a "qname-wait-recurse no" option.

This is exactly the thing I was looking for.

Thank you very much!

Tomas

> Tony.
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Mitigation of server's load by queries for non-existing domains

MURTARI, JOHN
In reply to this post by Tomas Hozza
Tony,
        Didn't see this mentioned in the other thread messages, but depending on what version of BIND you are using you may find a lot of benefit in using the Response Rate Limiting (RRL) feature. https://www.isc.org/blogs/bind-9-9-4-released/

        We have found it to be VERY effective in reducing a lot of these nuisance attacks.
        Best regards!

John Murtari

On 12.01.2016 18:16, Tony Finch wrote:

> Tomas Hozza <[hidden email]> wrote:
>>
>> Recently I was trying to find a mechanism in BIND that could prevent the
>> server from processing a recursive query for non-existing domains.
>
> Have a look at https://www.isc.org/blogs/tldr-resolver-ddos-mitigation/
>
>> I was thinking about using RPZ with QNAME policy trigger, but this
>> applies only to the responses to queries and still makes the server to
>> try to resolve it.
>
> RPZ has a "qname-wait-recurse no" option.

This is exactly the thing I was looking for.

Thank you very much!

Tomas

> Tony.
>


------------------------------

Message: 8
Date: Wed, 13 Jan 2016 14:45:41 +0100 (CET)
From: [hidden email]
To: [hidden email]
Cc: [hidden email]
Subject: Re: Bind9 on VMWare
Message-ID: <[hidden email]>
Content-Type: Text/Plain; charset=us-ascii

> > Complexity?
>
> which complexity?
>
> a virtual guest is less complex because you don't need a ton of daemons
> for hardware-monitoring, drivers and what not on the guest

For me the relevant comparison is my ordinary OS vs. my ordinary OS +
VMWare.

> complex are 30 phyiscal servers instead two fat nodes running a
> virtualization cluster with one powerful shared storage

Ayup, lots of eggs in one basket.

I absolutely believe virtualization has its place. I also believe that
"everywhere" is not that place.

bind-users is probably not the right forum to discuss virtualization,
so I'll just leave the discussion at that for my part.

Steinar Haug, Nethelp consulting, [hidden email]


------------------------------

Message: 9
Date: Wed, 13 Jan 2016 15:02:47 +0100
From: "Philippe Maechler" <[hidden email]>
To: <[hidden email]>
Subject: RE: Bind9 on VMWare
Message-ID: <008501d14e0b$1503ea80$3f0bbf80$@glattnet.ch>


>> I'm not sure if it is a good thing to have physical serves, although we
have
>> a vmware cluster in both nodes which has enough capacity (ram, cpu,
disk)?
>> I once read that the vmware boxes have a performance issue with heavy udp
>> based services. Did anyone of you face such an issue? Are your dns
servers
>> all running on physical or virtual boxes?
>
> where did you read that?

I don't remember where I read that. I guess it was on a mailing list where
the OP had issues with either a DHCP or syslog server. It all came down to
the vmware host/switch which was not good enough for udp services. Could be
that this was on Vmware 4.x and got better on 5.x.

But as I said, I can't recall exactly where that was





------------------------------

_______________________________________________
bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

End of bind-users Digest, Vol 2286, Issue 2
*******************************************
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Mitigation of server's load by queries for non-existing domains

John Miller
In reply to this post by Tomas Hozza
On Wed, Jan 13, 2016 at 8:35 AM, Tomas Hozza <[hidden email]> wrote:

> On 12.01.2016 18:16, Tony Finch wrote:
>> Tomas Hozza <[hidden email]> wrote:
>>>
>>> Recently I was trying to find a mechanism in BIND that could prevent the
>>> server from processing a recursive query for non-existing domains.
>>
>> Have a look at https://www.isc.org/blogs/tldr-resolver-ddos-mitigation/
>>
>>> I was thinking about using RPZ with QNAME policy trigger, but this
>>> applies only to the responses to queries and still makes the server to
>>> try to resolve it.
>>
>> RPZ has a "qname-wait-recurse no" option.
>
> This is exactly the thing I was looking for.
>
> Thank you very much!
>

Thanks from this end as well--I wasn't aware of this option, either.

John
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users