Open Resolver Problems

[brian.peter.dickson at gmail.com (Brian Dickson)]

For filtering to/from "client-only" networks, here's the filtering rules
(in pseudo-code, convert to appropriate code for whatever devices you
operate), for DNS.

The objective here is:
- prevent spoofed-source DNS reflection attacks from your customers, from
leaving your network
- prevent your customers' open DNS servers (regardless of what they are)
from being used in reflection attacks
- permit normal DNS usage by clients, regardless of whether they are
talking to an external DNS resolver, or doing their own local resolution
(e.g. local DNS resolver on a host, or SOHO router)

from client:
permit source=client-subnet dest=any port=53 proto=TCP (TCP only works if
reaches "established", i.e. spoofing is irrelevant, but we stop spoofed SYN
here)
permit source=client-subnet dest=any port=53 proto=UDP QR=0 (first/highest
bit of 3rd octet of DNS packet payload of UDP)
deny port=53 (regardless of source/dest - either spoofed source, or QR=1,
if reached this rule)

to client:
permit dest=any source=any port=53 proto=TCP
permit dest=any source=any port=53 QR=1 (first/highest bit of 3rd octet of
DNS packet payload of UDP)
deny port=53 proto=UDP (QR=0 which is what we want to avoid)
(We don't have to check dest==client-subnet, since routing handles this
requirement)

If you have "eyeball" networks, please apply liberally.

Brian