nanog mailing list archives
Re: Open Resolver Problems
From: Jimmy Hess <mysidia () gmail com>
Date: Fri, 29 Mar 2013 05:11:02 -0500
On 3/28/13, Ben Aitchison <ben () meh net nz> wrote:
On Tue, Mar 26, 2013 at 07:07:16PM -0700, Tom Paseka wrote:Authoritative DNS servers need to implement rate limiting. (a client shouldn't query you twice for the same thing within its TTL).
The RFC doesn't say that is a should; a client MAY only query you once for a record within its TTL; the TTL is the duration after which the entry /must/ be expunged from the cache, it is an allowed maximum, not a minimum lifetime. A client may query plenty of times within its TTL. Sufficiently low rate limits on the authoritative would open the possibility of new kinds of attacks. If the authoritative DNS server decides to limit its rate of response, this might be used to conduct a DoS against the recursive nameserver's ability to lookup queries against the authoritative NS applying the limit. This could be leveraged remotely through a malicious website, remote loading bad image URLs from a significant number of non-existent subdomains, causing the rate limit to be attained. This may also be used to facilitate cache poisoning against legitimate recursors, targeting the domain whose authoritative servers apply a strict limit, by intentionally causing the recursor to make the maximum number of queries allowed, before sending spoofed responses. Especially a client that answers many different queries for a large number of clients and has limited cache sizes may query many times within a TTL. The average record cache lifetime might be 15 to 40 seconds (with as low as 1 second in cases), even if the record TTL is 86400. Or the cache may be manually flushed by the operator, in order to have a local DNS record change take effect more immediately (since most resolvers do not provide an admin command to flush only one zone from their cache). No guarantee is made about the size of the client's cache, number of records, or the client's cache aging policy. The response may be discarded or aged out, well before its TTL has elapsed. There may be other 'more popular' records on the same DNS resolver that are retained in the cache until TTL. Additional queries may be issued as a cache-poisoning avoidance mechanism. The same DNS servers might get queried multiple times successively for different records within the same zone.
unbound with it's dns-prefetching queries a dns servers again in I think the last 10% of ttl when returning hit to client to refresh ttl and keep it current.
-- -JH
Current thread:
- Re: Open Resolver Problems, (continued)
- Re: Open Resolver Problems Valdis . Kletnieks (Mar 27)
- Re: Open Resolver Problems Tony Finch (Mar 27)
- Re: Open Resolver Problems Owen DeLong (Mar 27)
- Re: Open Resolver Problems Marco Davids (Mar 27)
- Re: Open Resolver Problems Jared Mauch (Mar 27)
- Re: Open Resolver Problems Joe Abley (Mar 27)
- Can we not just fix it? WAS:Re: Open Resolver Problems Michael DeMan (Mar 28)
- Re: Can we not just fix it? WAS:Re: Open Resolver Problems David Conrad (Mar 28)
- Re: Can we not just fix it? WAS:Re: Open Resolver Problems Saku Ytti (Mar 28)
- Re: Open Resolver Problems Ben Aitchison (Mar 28)
- Re: Open Resolver Problems Jimmy Hess (Mar 29)
- Re: Open Resolver Problems Mark Andrews (Mar 29)
- Re: Open Resolver Problems Joe Greco (Mar 29)
- Re: Open Resolver Problems Dobbins, Roland (Mar 29)
- Re: Open Resolver Problems Joe Greco (Mar 29)
- Re: Open Resolver Problems Doug Barton (Mar 29)
- Re: Open Resolver Problems Masataka Ohta (Mar 29)
- Re: Open Resolver Problems Jared Mauch (Mar 26)
- Re: Open Resolver Problems Valdis . Kletnieks (Mar 26)
- Re: Open Resolver Problems joel jaeggli (Mar 26)
- Re: Open Resolver Problems Jay Ashworth (Mar 26)