nanog mailing list archives
Re: large organization nameservers sending icmp packets to dns servers.
From: Douglas Otis <dotis () mail-abuse org>
Date: Wed, 8 Aug 2007 17:22:10 -0700
On Aug 8, 2007, at 12:11 PM, Paul Vixie wrote:
dotis () mail-abuse org (Douglas Otis) writes:Ensuring an authoritative domain name server responds via UDP is a critical security requirement. TCP will not create the same risk of a resolver being poisoned, but a TCP connection will consume a significant amount of a name server's resources....but this is flat out wrong, dead wrong, no way to candy coat it, wrong.
Wanting to understand this comment, I'll expand upon the quoted statement.
Resolver's factors affecting DNS security are: - selection of port and transaction IDs - restrictions on outstanding queries for same resource - limits on inbound bandwidth Ignoring uncontrollable factors... Authoritative server factors affecting security are: - time frame for an answer - duration of RR TTLs - number of serversA short time frame for an answer along with longer TTLs are influenced by authoritative servers and also affect spoofing rates.
When DNS TCP is used, the transport sequence number further precludes a spoofed TCP answer from being accepted. When a truncated response is returned, TCP fallback may be attempted. When a TCP ICMP refusal is filtered or never sent, but TCP has been blocked, the timeframe alloted for spoofing could entail the entire TCP timeout. However, probability for successful spoofing includes an additional multiplier of 1 / 2^32. This reduction should sufficiently negate an additional timeout duration.
TCP requires state and introduces several additional exchanges for a given number of answers. Any effort related to poisoning will likely attempt to delay an answer by adding to the server's overhead. Precluding truncation, and thereby eliminating TCP, should favorably reduce server overhead and increase overall performance.
Of course, a more practical method would be to ensure sufficient DNS resources are available by increasing server resources. That said, how many domains allocate a couple of prior generation servers for DNS?
-Doug
Current thread:
- RE: large organization nameservers sending icmp packets to dns servers., (continued)
- RE: large organization nameservers sending icmp packets to dns servers. Jason J. W. Williams (Aug 07)
- RE: large organization nameservers sending icmp packets to dns servers. Donald Stahl (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Joe Abley (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Kevin Oberman (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Donald Stahl (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Kevin Oberman (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Andrew Sullivan (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. Douglas Otis (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. Paul Vixie (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. Roland Dobbins (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. John Kristoff (Aug 10)