[AusNOG] SRV Records

Mark Delany g2x at juliet.emu.st
Wed Jul 16 00:49:20 EST 2014


> > Are SRV dns records dangerous and should we continue to  block them at
> > our border router?
> 
> No.  Why to people think they need to block queries that will return
> NXDOMAIN or NODATA.

> 100% of DNS firewall rules are garbage.  I have yet to see a firewall
> vendor that properly understands DNS.

As Mark points out, gratuitous and ill-advised DNS firewall rules are
all but ruining DNS innovation. I.e., no one wants to invent new DNS
types any more because they rightly fear that new types won't get to
many parts of the internet.

In the particular case of SRV, it's heavily used by VOIP applications
(see http://www.voip-info.org/wiki/view/DNS+SRV) so you'd at least be
breaking those users.

At one point SRV was also considered for HTTP 2.0 discovery so you may
well have be setting up your users to be perpetually downgraded to the
slower, less capable HTTP 1.1. Since HTTP 2.0 transparently downgrades
it's entirely possible that no one will realize your users are getting
a second-rate experience - for years!


It's likely too late to save DNS - which will most likely have future
enhancements route around your firewall via 80/443 - but it's definitely
one protocol where you should permit all by default and temporarily
deny by exception.


Mark.


More information about the AusNOG mailing list