topic Re: DNS TXT records, use and implications of blocking? in General Topics

DNS TXT records, use and implications of blocking?

Dz3015 — Fri, 28 Nov 2014 15:51:11 GMT

In the recent past my organization was hit with a relatively new DNS Amplification attack which uses a botnet hosting DNS services with a specifically crafted DNS TXT record. The spoofed requests specifically requested this record hosted on the botnet. After investigating I found articles online of the attack being used but with different TXT records.

My question is this, are DNS TXT records used legitimately in practice over the internet and what could be the implications of blocking requests/replys for TXT records all-together?

Thanks for any insight you can provide.

Re: DNS TXT records, use and implications of blocking?

pulukas — Sat, 29 Nov 2014 00:33:46 GMT

Yes, there are valid DNS txt records. the most common would be the SPF records for SMTP services. These are used to help prevent some types of spam bots by identifying the valid SMTP outbound servers in a domain.

Your better approach may be to see which DNS Amplification signatures the attacks are hitting and change the threat id responses from default alert to a block action.

Re: DNS TXT records, use and implications of blocking?

lwheelock — Sat, 29 Nov 2014 18:30:59 GMT

Since amplification attacks are typically fragmented UDP packets one option would be to enable zone protection on your Internet facing interface(s). Selecting 'Fragmented Traffic" and/or configuring UDP flood parameters in a zone protection profile and applying it to these interfaces will drop UDP DNS fragments commonly used in amp attacks. I don't recommend using this profile internally unless you've determined if your own DNS implementations are configured correctly.

This avoids having to block a specific record type altogether while still dropping the attack traffic. It will also drop UDP responses from resolvers that are not configured to truncate responses 512+ bytes and resume over TCP.