On allowing ICMP to authoritative name servers
After hearing our answer in Episode 24 to Jorge Fábregas’s question about whether to allow ICMP messages to authoritative name servers, David Dagon submitted this insightful response:
On episode 24 of your “The Ask Mr. DNS Podcast”, you answered a question by Jorge Fábregas about whether to allow ICMP messages to an authoritative server.
Your answer (to allow ICMP) noted the convenience of ICMP and its utility in diagnosing server errors. I would like to offer another rationale for allowing ICMP messages destined for authority servers.
If an attacker is attempting to poison your zone in a third party’s recursive (e.g., by spoofing your source address in answer to an induced glue request), your authority will see ICMP blowback from the victim recursive for incorrect QID and/or SPORT guesses. I.e., forged packets destined for closed UDP ports will result in ICMP(3,3) message from the victim recursive.
Informally, the authority hears distant echos of any brute force attack on a recursive. Since ICMP messages typically contain the IP header and first 8 bytes of the offending UDP datagram, this is just enough payload to include the QID. (Some OS even include more octets of the blocked datagram, permitting inspection of the QNAME).
Thus, one can monitor an authority for high volumes of ICMP messages, and infer the possible poisoning attempt on a 3d party recursive. Confirmation of the nature of the attack comes from the QID diversity (which may suggest a poisoning attack). Of course, there still exists the possibility that even the ICMP messages were spoofed. But if the 3d party victim is open recursive, one could even inspect the victim’s cache, iteratively asking for records in your zone, to confirm the success of the attack.
While brute-force DNS poisoning is (thankfully) rare in the post-Kaminsky world, and of concern only for high-value sites, there are still some episodes of cache poisoning. This is yet another reason to allow ICMP traffic to authority servers.
Sadly, we didn’t think of this, but it’s an excellent reason to allow ICMP to your authoritative name servers. And once again, we’re gratified and humbled to have such incisive listeners.
If you’re interested in reading more from David, we highly recommend a paper he coauthored, Corrupted Resolution Paths: The Rise of a Malicious Resolution Authority, about open recursive name servers that return deliberately incorrect answers. Very scary.