Should Authoritative Nameserver refer non-zone queries to the root zone?

Open pinheadmz opened this issue 5 years ago • 1 comments

Running a few bns nameservers now for Handshake domains, I've been hit by multiple Amplification Attacks

I think in AuthNS mode (with recursion off a.k.a. this.ra: false), the server should either not reply at all, or reply as minimally as possible.

Examples

Querying local `bns` `AuthNS`

$ dig @127.0.0.1 -p 5300 myzonewd

; <<>> DiG 9.14.6 <<>> @127.0.0.1 -p 5300 myzonewd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15969
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;myzonewd.			IN	A

;; AUTHORITY SECTION:
.			3600000	IN	NS	a.root-servers.net.
.			3600000	IN	NS	b.root-servers.net.
.			3600000	IN	NS	c.root-servers.net.
.			3600000	IN	NS	d.root-servers.net.
.			3600000	IN	NS	e.root-servers.net.
.			3600000	IN	NS	f.root-servers.net.
.			3600000	IN	NS	g.root-servers.net.
.			3600000	IN	NS	h.root-servers.net.
.			3600000	IN	NS	i.root-servers.net.
.			3600000	IN	NS	j.root-servers.net.
.			3600000	IN	NS	k.root-servers.net.
.			3600000	IN	NS	l.root-servers.net.
.			3600000	IN	NS	m.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.	3600000	IN	A	198.41.0.4
a.root-servers.net.	3600000	IN	AAAA	2001:503:ba3e::2:30
b.root-servers.net.	3600000	IN	A	199.9.14.201
b.root-servers.net.	3600000	IN	AAAA	2001:500:200::b
c.root-servers.net.	3600000	IN	A	192.33.4.12
c.root-servers.net.	3600000	IN	AAAA	2001:500:2::c
d.root-servers.net.	3600000	IN	A	199.7.91.13
d.root-servers.net.	3600000	IN	AAAA	2001:500:2d::d
e.root-servers.net.	3600000	IN	A	192.203.230.10
e.root-servers.net.	3600000	IN	AAAA	2001:500:a8::e
f.root-servers.net.	3600000	IN	A	192.5.5.241
f.root-servers.net.	3600000	IN	AAAA	2001:500:2f::f
g.root-servers.net.	3600000	IN	A	192.112.36.4
g.root-servers.net.	3600000	IN	AAAA	2001:500:12::d0d
h.root-servers.net.	3600000	IN	A	198.97.190.53
h.root-servers.net.	3600000	IN	AAAA	2001:500:1::53
i.root-servers.net.	3600000	IN	A	192.36.148.17
i.root-servers.net.	3600000	IN	AAAA	2001:7fe::53
j.root-servers.net.	3600000	IN	A	192.58.128.30
j.root-servers.net.	3600000	IN	AAAA	2001:503:c27::2:30
k.root-servers.net.	3600000	IN	A	193.0.14.129
k.root-servers.net.	3600000	IN	AAAA	2001:7fd::1
l.root-servers.net.	3600000	IN	A	199.7.83.42
l.root-servers.net.	3600000	IN	AAAA	2001:500:9f::42
m.root-servers.net.	3600000	IN	A	202.12.27.33
m.root-servers.net.	3600000	IN	AAAA	2001:dc3::35

;; Query time: 4 msec
;; SERVER: 127.0.0.1#5300(127.0.0.1)
;; WHEN: Mon Apr 27 12:43:45 EDT 2020
;; MSG SIZE  rcvd: 820

Querying a CSC Global nameserver

$dig @156.154.130.100 iwefjwoiefjowief.oweifjowiejfoiwjef

; <<>> DiG 9.14.6 <<>> @156.154.130.100 iwefjwoiefjowief.oweifjowiejfoiwjef
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48484
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;iwefjwoiefjowief.oweifjowiejfoiwjef. IN	A

;; Query time: 8 msec
;; SERVER: 156.154.130.100#53(156.154.130.100)
;; WHEN: Mon Apr 27 12:43:21 EDT 2020
;; MSG SIZE  rcvd: 53

Apr 27 '20 17:04 pinheadmz

Possible fix: remove this line which returns the root hints.

https://github.com/chjj/bns/blob/4d14ee60cde5058f06aeda204b9b7825cb475e3e/lib/zone.js#L267-L271

Apr 27 '20 17:04 pinheadmz

bns bns copied to clipboard

Should Authoritative Nameserver refer non-zone queries to the root zone?

Examples

Querying local bns AuthNS

Querying a CSC Global nameserver

bns
bns copied to clipboard

Querying local `bns` `AuthNS`