DNSOP                                                     O. Gudmundsson
Internet-Draft                                              M. Majkowski
Updates: 1035 (if approved)                              CloudFlare Inc.
Intended status: Standards Track                           March 6, 2015
Expires: September 7, 2015


     Standard way for Authoratitive DNS servers to refuse ANY query
                     draft-ogud-dnsop-any-notimp-00

Abstract

   DNS ANY query is widely abused for reflection attacks.  This feature
   was designed to aid in debugging.  As there is no good reason for
   applications to ever issue an ANY query this document codifies how an
   authoritative server can reject such queries.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 7, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Gudmundsson & Majkowski Expires September 7, 2015               [Page 1]

Internet-Draft             Refusing ANY query                 March 2015


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements notation . . . . . . . . . . . . . . . . . . . .   2
   3.  Protocol change . . . . . . . . . . . . . . . . . . . . . . .   2
   4.  IANA considerations . . . . . . . . . . . . . . . . . . . . .   3
   5.  Security considerations . . . . . . . . . . . . . . . . . . .   3
   6.  Internationalizaiton Considerations . . . . . . . . . . . . .   3
   7.  Implementation Experience . . . . . . . . . . . . . . . . . .   3
   8.  Normative References  . . . . . . . . . . . . . . . . . . . .   3
   Appendix A.  Document history . . . . . . . . . . . . . . . . . .   3
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   3

1.  Introduction

   DNS is an evolving protocol, at glacial phase, this document
   specifies how an Authorative server can reject an ANY query.  ANY
   queries are widely abused by attackers doing reflection attacks as
   they return the largest answers.  Over the years a number of attempts
   have been made to throttle ANY queries, ranging from returning TC bit
   to all UDP ANY queries, blocking them totally, and QoS'ing the number
   of ANY queires accepted per second.  All of those are band-aids.

   Some modern Authoritative servers, such as those used by CDN's, do
   not have DNS zones.  For those servers answering ANY query truthfully
   is hard work.  Thus ignoring ANY queries simplifies the
   implementation.

2.  Requirements notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  Protocol change

   An Authorative DNS[RFC1035] server can reject ANY query by returning
   RCODE = 4 (NOTIMP).

   A Recurisive Resolver SHOULD ignore RD bit set on ANY query.
   Additionaly as Recursive Resolver SHOULD remember that ANY queries
   are not available from upstream Auth server, this SHOULD be cached
   for at least 5 minutes.








Gudmundsson & Majkowski Expires September 7, 2015               [Page 2]

Internet-Draft             Refusing ANY query                 March 2015


4.  IANA considerations

   No IANA action is requested

5.  Security considerations

   ANY query is mainly used for attacks on the internet due to its
   amplification factor.  Codifying this behavior makes life harder for
   attackers, at minimal cost for DNS operators.

6.  Internationalizaiton Considerations

   NONE

7.  Implementation Experience

   TBD

8.  Normative References

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, November 1987.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

Appendix A.  Document history

   [RFC Editor: Please remove this section before publication ]

   00 Initial version

Authors' Addresses

   Olafur Gudmundsson
   CloudFlare Inc.
   San Francisco, CA  94107
   USA

   Email: olafur@cloudflare.com


   Marek Majkowski
   CloudFlare Inc.
   London
   UK

   Email: marek@cloudflare.com



Gudmundsson & Majkowski Expires September 7, 2015               [Page 3]