[AusNOG] SRV Records

Mark Andrews marka at isc.org
Tue Jul 15 19:06:29 EST 2014 


In message <4B5E863F12AF3A48B7ACE3DE2B228B903175F91D at EXCHANGE-3.ANSA.WAN>, ANSA
 SERVERS writes:
>
> Hey Guys,
>
> Quick question for all the network security buffs on the list....
>
> Are SRV dns records dangerous and should we continue to  block them at
> our border router?

No.  Why to people think they need to block queries that will return
NXDOMAIN or NODATA.
 
> I am asking this because we are seeing massive amounts of traffic being
> blocked (and ips hitting out blacklist) from our network because they are
> trying to query our dns cluster for these records.

Well let the queries through and the caches will cache that they don't exist.

> These are the default options in the dns proxy policy for the firewall
> that where set when it was installed - but we already know the people
> that installed the firewall had no idea what they were doing...

100% of DNS firewall rules are garbage.  I have yet to see a firewall
vendor that properly understands DNS.

DNS packet haven't been limited to 512 bytes for 15 years.
DNS UDP packet are fragmented.
EDNS is not a danger (any version).
DO=1 is not a danger.
AD=1 is not a danger.
EDNS options are not a danger.
DNS TCP is a standard part of the DNS protocol and is expected
to be seen for more than AXFR.
A firewall shouldn't be re-writting DNS packets.
You DNS server will not fallover if presented with unknown query types.

And lastly DNS is a query/response protocol.  Dropping packets is bad form.
There are error code that can be returned.

> So what exactly are these SRV records and what are they used for. We have
> no reason to block them if they pose no risk to our network.

> Regards,
>
> Matthew Matters  Managing Director / CEO of Aus Net Servers Australia Pty
> Ltd
> Management Department  |  Small Business Hosting Sales & Services  |  Aus
> Net Servers Australia Pty Ltd
> P  1300 933 038  |  M  0428 028 091  |  E
> mmatters at ausnetservers.net.au<mailto:mmatters at ausnetservers.net.au> |  W
> www.ausnetservers.net.au<http://www.ausnetservers.net.au/>
> ABN 25 162 013 194 | ACN 162 013 194 | ARBN B2318 229M | #1 For Dedicated
> Hosting Solutions For Small Business Since 2007

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the AusNOG mailing list