= DNS/毒盛/2020/saddns.net/対策 =
<<TableOfContents()>>

共用リゾルバーではなんらかの対策が必要になる。-- ToshinoriMaeno <<DateTime(2020-11-17T09:17:58+0900)>>

{{{
There are three kinds of actions that could be taken to mitigate the attack:

    Destroy the side channel
        Disable outgoing ICMP
        Randomize ICMP global rate limit (used by Linux )
    Add more secrets to DNS messages
        DNSSEC
        0x20 encoding
        DNS cookie
    Reduce the attack window
        Reduce the timeout for outstanding queries
}}}

CVE-2020-25705  2020年11月13日
https://access.redhat.com/security/cve/cve-2020-25705

ICMP type 3, code 3 port unreachable 返答をやめる。(やめられるか)

== DNS Cookies ==
slashdot.org にあった案: DNS Cookies を使う。使えないときはTCPに切り替える。-- ToshinoriMaeno <<DateTime(2020-11-17T09:15:47+0900)>>
{{{
It does require using DNS COOKIE and falling back to TCP 
when the server doesn't support DNS COOKIE.
}}}

RFC 7873 にもある。https://tools.ietf.org/html/rfc7873
{{{
Where DNS Cookies are not available but TCP is, falling back to using TCP is reasonable.
If only one party to a DNS transaction supports DNS Cookies, the mechanism does not provide a benefit or significantly interfere, but if both support it, the ..
}}}

DNS Transport over TCP - Operational Requirements
draft-ietf-dnsop-dns-tcp-requirements-04  2019
https://tools.ietf.org/id/draft-ietf-dnsop-dns-tcp-requirements-04.xml

== ICMP port unreachable を止める ==
https://www.infraexpert.com/info/5.0adsl.htm


https://twitter.com/tss_ontap_o/status/1327776449273556992?s=20

net.inet.udp.blackhole=1 あるいは 
{{{
ipfw add 1 deny log logamount 1000 icmp from me to any icmptypes 3 
}}}


Workaround (SUSE)
 Filter out "icmp type port-unreachable" messages on ipv4 and ipv6 via the firewall on your resolver host.

Sample iptables rules:
{{{
iptables -A OUTPUT -p icmp --icmp-type port-unreachable -j DROP
ip6tables -A OUTPUT -p ipv6-icmp --icmp-type port-unreachable -j DROP
}}}
This might however restrict network functionality.

https://twitter.com/beyondDNS/status/1327776518731309056?s=20

https://twitter.com/jedisct1/status/1326921483692732416?s=20
{{{
edgedns was never vulnerable to this “new” DNS cache poisoning attack. 
Back in 2012 I also wrote a kernel patch specifically to avoid this (https://sk.tl/4PC5ueLo). 
Resolvers should not send ICMP port unreachable messages to auth servers,
it does more harm than good.
ツイートを翻訳
午前1:15 · 2020年11月13日
}}}
https://download.pureftpd.org/misc/linux_udp_tcp_blackhole.diff

== Linux kernel patch ==
ICMPを送り出す回数を変化させる。

limitに到達していなくとも、ICMP port unreachable を発生しないとかの対策が可能。
  これにより、open portかどうかの判定は難しくなる。