nanog mailing list archives

Re: Open Resolver Problems

From: Ben Aitchison <ben () meh net nz>
Date: Fri, 29 Mar 2013 16:44:19 +1300

On Tue, Mar 26, 2013 at 07:07:16PM -0700, Tom Paseka wrote:

On Tue, Mar 26, 2013 at 7:04 PM, Matthew Petach <mpetach () netflight com>wrote:

On Tue, Mar 26, 2013 at 6:06 PM, John Levine <johnl () iecc com> wrote:

As a white-hat attempting to find problems to address through legitimate

means, how

do you …


You make friends with people with busy authoritative servers and see
who's querying them.


I'm confused.  Don't most authoritative servers have to
answer to just about anyone in order to be useful?

Matt


Authoritative DNS servers need to implement rate limiting. (a client
shouldn't query you twice for the same thing within its TTL).


unbound with it's dns-prefetching queries a dns servers again in I think the last 10% of ttl when
returning hit to client to refresh ttl and keep it current.

To me this doesn't seem excessive, and will improve performance for regularly accessed sites with
short ttls which are quite common now (google, facebook, etc)

It'd break if doing that extreme rate limiting.  But so would things like rebooting a dns server,
I think if rate limiting is done it has to be on the leniant side.

Also how do you know that the dns resolver got a successful reply?   Just because you've received
a packet from a client doesn't mean that you can reach the client.  So if there's one way traffic
or excessive dual way packet loss the chances of prematurely blocking clients and creating longer
outages is too great.

That said, a lot of these amplifications attacks use ANY requests, which normal clients don't.  And
those could be rate limited down without effecting normal traffic I'm sure.

Ben.

Current thread:

Re: Open Resolver Problems, (continued)
- - - Re: Open Resolver Problems Joe Abley (Mar 27)
    - Re: Open Resolver Problems Valdis . Kletnieks (Mar 27)
    - Re: Open Resolver Problems Tony Finch (Mar 27)
    - Re: Open Resolver Problems Owen DeLong (Mar 27)
    - Re: Open Resolver Problems Marco Davids (Mar 27)
    - Re: Open Resolver Problems Jared Mauch (Mar 27)
    - Re: Open Resolver Problems Joe Abley (Mar 27)
    - Can we not just fix it? WAS:Re: Open Resolver Problems Michael DeMan (Mar 28)
    - Re: Can we not just fix it? WAS:Re: Open Resolver Problems David Conrad (Mar 28)
    - Re: Can we not just fix it? WAS:Re: Open Resolver Problems Saku Ytti (Mar 28)
    - Re: Open Resolver Problems Ben Aitchison (Mar 28)
    - Re: Open Resolver Problems Jimmy Hess (Mar 29)
    - Re: Open Resolver Problems Mark Andrews (Mar 29)
    - Re: Open Resolver Problems Joe Greco (Mar 29)
    - Re: Open Resolver Problems Dobbins, Roland (Mar 29)
    - Re: Open Resolver Problems Joe Greco (Mar 29)
    - Re: Open Resolver Problems Doug Barton (Mar 29)
    - Re: Open Resolver Problems Masataka Ohta (Mar 29)
    - Re: Open Resolver Problems Jared Mauch (Mar 26)
    - Re: Open Resolver Problems Valdis . Kletnieks (Mar 26)
    - Re: Open Resolver Problems joel jaeggli (Mar 26)

(Thread continues...)