some way to limit ANY queries • Great if the answer is cacheable • ACL is debuggers friend • Many want to do get rid of ANY queries 8 Why do Resolvers forward ANY query ?
DJB wrote an explanation as to what Qmail is doing: • https://mailarchive.ietf.org/arch/msg/dnsop/ kXSApuM4i0WLoIo3_OhrCcAZ-cc • Translation: Qmail uses ANY as a probabilistic optimization • Will fall back to normal resolution if ANY does not yield “useful” answer 9
• Not Cached, resolvers tries next one and eventually fails • Empty answer • Treated as negative answer and cached for a short time • Referral • Confuses some resolvers • Harmless • Existing record type • This works well • New/Unspecified Record Type • In almost all cases this works fine some implementations don’t like it • Guess what is useful • Some check if MX or A + AAAA are present and return only them 11
reflection flood via open resolvers w/o cache • Forged reflection flood via open resolvers w cache • Resolvers with empty cache when application asks • Resolvers with empty cache when a user asks • User sending direct query to Auth server • Tools walking a domain or checking policies (for example spam police) • Others? 13
CACHE • If ignored keep asking • If we send TC we get TCP connection • Majority have actual users thus blacklisting them is not an option • Lots of them!!!! 14
all RR Type for a name • We hate big answers • Sometimes not even available => incomplete answers • Deploying DNSSEC with on-line signing on the edge at massive scale • Waste of effort to sign all the RR types the query origin does not care about 15
Millions Drop Open resolvers w/o cache Millions Answer with something Open resolvers w/ cache Hundreds in bursts Answer with something Resolvers with empty cache Thousands per second Answer with something Direct users Tens Human readable refusal Tools ??? Drop
HINFO in their zones → No need for new type • We can generate this on the fly early in the processing • No need for multiple database lookups, discovery of all types, or multiple signatures • Simplified our code as we can remove ANY processing from various parts • Cached as-is by resolvers → stops retries • Accepted by resolvers → doesn’t break… applications 19
make up a HINFO on the fly • Signed zones • Sign a HINFO for each existing name, answer normally to not existing • Pick one RRset and serve only that, answer normally to not existing 21
lab • Check with reasonable people • Measure known/possible side effects • Test on portion of the Internet for some time • Back out if something… funny is seen 22
"Please stop asking for ANY" "See draft-jabley-dnsop-refuse-any" • World wide proxy into that region • Won’t be running forever • Proxy to CloudFlare regular namesevers • (Signed zones coming next week)
reach a reasonable compromises and do simple things that address complex problems. • By treating ANY as something we are smaller amplification reflector • We simplified our code • We spend less resources under attack 25