[AusNOG] SRV Records

ANSA SERVERS info at ausnetservers.net.au
Tue Jul 15 19:10:19 EST 2014 

HI Mark,

All I am seeing is A6 and A7 queries being blocked at the moment from china so I am not really concerned about them.

The firewall is trying to prevent dns recursion attacks that can cause huge damage to a network much like a ddos can.

Regards,

Matthew Matters  Managing Director / CEO of Aus Net Servers Australia Pty Ltd
Management Department  |  Small Business Hosting Sales & Services  |  Aus Net Servers Australia Pty Ltd
P  1300 933 038  |  M  0428 028 091  |  E  mmatters at ausnetservers.net.au |  W  www.ausnetservers.net.au
ABN 25 162 013 194 | ACN 162 013 194 | ARBN B2318 229M | #1 For Dedicated Hosting Solutions For Small Business Since 2007

-----Original Message-----
From: Mark Andrews [mailto:marka at isc.org]
Sent: Tuesday, 15 July 2014 7:07 PM
To: ANSA SERVERS
Cc: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] SRV Records



In message <4B5E863F12AF3A48B7ACE3DE2B228B903175F91D at EXCHANGE-3.ANSA.WAN>, ANSA  SERVERS writes:
>
> Hey Guys,
>
> Quick question for all the network security buffs on the list....
>
> Are SRV dns records dangerous and should we continue to  block them at
> our border router?

No.  Why to people think they need to block queries that will return NXDOMAIN or NODATA.

> I am asking this because we are seeing massive amounts of traffic
> being blocked (and ips hitting out blacklist) from our network because
> they are trying to query our dns cluster for these records.

Well let the queries through and the caches will cache that they don't exist.

> These are the default options in the dns proxy policy for the firewall
> that where set when it was installed - but we already know the people
> that installed the firewall had no idea what they were doing...

100% of DNS firewall rules are garbage.  I have yet to see a firewall vendor that properly understands DNS.

DNS packet haven't been limited to 512 bytes for 15 years.
DNS UDP packet are fragmented.
EDNS is not a danger (any version).
DO=1 is not a danger.
AD=1 is not a danger.
EDNS options are not a danger.
DNS TCP is a standard part of the DNS protocol and is expected to be seen for more than AXFR.
A firewall shouldn't be re-writting DNS packets.
You DNS server will not fallover if presented with unknown query types.

And lastly DNS is a query/response protocol.  Dropping packets is bad form.
There are error code that can be returned.

> So what exactly are these SRV records and what are they used for. We
> have no reason to block them if they pose no risk to our network.

> Regards,
>
> Matthew Matters  Managing Director / CEO of Aus Net Servers Australia
> Pty Ltd Management Department  |  Small Business Hosting Sales &
> Services  |  Aus Net Servers Australia Pty Ltd P  1300 933 038  |  M
> 0428 028 091  |  E
> mmatters at ausnetservers.net.au<mailto:mmatters at ausnetservers.net.au> |
> W www.ausnetservers.net.au<http://www.ausnetservers.net.au/>
> ABN 25 162 013 194 | ACN 162 013 194 | ARBN B2318 229M | #1 For
> Dedicated Hosting Solutions For Small Business Since 2007

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
[LinkedIn] <http://www.linkedin.com/company/aus-net-servers-australia> [Twitter]  <http://www.twitter.com/ansaservers> The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. If you have been sent this email and it is not addressed to you please forward the email as is to hostmaster at ausnetservers.net.au and delete all local and inta-local copies including backups from your system. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. This email has been scanned before transmission with business grade antivirus and antispam software but as mentioned above no warranties can be given that the email has not been contaminated after transmission.

More information about the AusNOG mailing list