Comments on: DNS Darwinism http://mcwresearch.com/archives/569 Things I think I've thought about Wed, 06 Jan 2010 16:45:57 +0000 hourly 1 http://wordpress.org/?v=3.3 By: Michael http://mcwresearch.com/archives/569/comment-page-1#comment-4836 Michael Thu, 15 Nov 2007 16:15:39 +0000 http://mcwresearch.com/archives/569#comment-4836 I'd also like to add that DoS conditions are of little concern for our shop. In six years working here I've only once witnessed a DoS event impact us and it was indirect; one of our hosts was zombified and was trying to participate in a DDoS, which effectively DoS'ed the local network. The cause of that was a worm, which has been a realized threat to us, and one that we've spent considerable time and money to combat (quite effectively I might add). The truth is that we would end up spending an equal amount of time and energy addressing DoS vectors as we have addressing worm vectors and the latter has proven to be a much more worthwhile venture. Our publicly-accessible services are far more *expendable*, for lack of a better word, than are our internal services. I've read some of your information on DoS mitigation and it's impressive and certainly worth reading for shops who are concerned about DoS mitigation. I’d also like to add that DoS conditions are of little concern for our shop. In six years working here I’ve only once witnessed a DoS event impact us and it was indirect; one of our hosts was zombified and was trying to participate in a DDoS, which effectively DoS’ed the local network. The cause of that was a worm, which has been a realized threat to us, and one that we’ve spent considerable time and money to combat (quite effectively I might add).

The truth is that we would end up spending an equal amount of time and energy addressing DoS vectors as we have addressing worm vectors and the latter has proven to be a much more worthwhile venture. Our publicly-accessible services are far more *expendable*, for lack of a better word, than are our internal services.

I’ve read some of your information on DoS mitigation and it’s impressive and certainly worth reading for shops who are concerned about DoS mitigation.

]]> By: Michael http://mcwresearch.com/archives/569/comment-page-1#comment-4835 Michael Thu, 15 Nov 2007 16:04:28 +0000 http://mcwresearch.com/archives/569#comment-4835 By blocking TCP/53 from leaving my network, I prevent zone transfers from leaving my network at all. In an Active Directory environment, if someone can transfer your zone out of your network they are able to gain an enormous amount of intelligence about your network, which would amount to a 'check' situation, with only a few moves to 'check mate'. When I said that external DNS servers should be 'intentionally ignorant', I was implying a tiered solution, where externally, the DNS infrastructure does not maintain a copy of the internal zone. I've blocked TCP/53 for years and have yet to see a problem arise because of it. I'm curious how its harmful in the extreme. You bring up an interesting point about state-full firewalls in front of DNS servers. I would assume that would be a DoS vector for <i>any</i> service, not just DNS. Though I'll be the first to admit I'm no DNS guru. By blocking TCP/53 from leaving my network, I prevent zone transfers from leaving my network at all. In an Active Directory environment, if someone can transfer your zone out of your network they are able to gain an enormous amount of intelligence about your network, which would amount to a ‘check’ situation, with only a few moves to ‘check mate’.

When I said that external DNS servers should be ‘intentionally ignorant’, I was implying a tiered solution, where externally, the DNS infrastructure does not maintain a copy of the internal zone.

I’ve blocked TCP/53 for years and have yet to see a problem arise because of it.

I’m curious how its harmful in the extreme.

You bring up an interesting point about state-full firewalls in front of DNS servers. I would assume that would be a DoS vector for any service, not just DNS. Though I’ll be the first to admit I’m no DNS guru.

]]> By: Roland Dobbins http://mcwresearch.com/archives/569/comment-page-1#comment-4834 Roland Dobbins Thu, 15 Nov 2007 03:11:44 +0000 http://mcwresearch.com/archives/569#comment-4834 Your comment about blocking TCP/53 and 'long replies by damned' is 100% incorrect and is harmful in the extreme. Instead, DNS servers should be tiered, and public-facing DNS servers simply shouldn't allow zone transfers from hosts outside one's own network(s). Also, firewalls should not be placed in front of public-facing DNS servers; the state of the firewall is a DoS vector. Instead, stateless ACLs (hopefully on an ASIC-based router platform) coupled with tight sysadmin practices and other reaction/mitigation systems (S/RTBH, DDoS scrubbers, etc.) should be utilized as circumstances warrant. Your comment about blocking TCP/53 and ‘long replies by damned’ is 100% incorrect and is harmful in the extreme. Instead, DNS servers should be tiered, and public-facing DNS servers simply shouldn’t allow zone transfers from hosts outside one’s own network(s).

Also, firewalls should not be placed in front of public-facing DNS servers; the state of the firewall is a DoS vector. Instead, stateless ACLs (hopefully on an ASIC-based router platform) coupled with tight sysadmin practices and other reaction/mitigation systems (S/RTBH, DDoS scrubbers, etc.) should be utilized as circumstances warrant.

]]>