nanog mailing list archives

Re: DNS hardening, was Re: Dan Kaminsky

From: Douglas Otis <dotis () mail-abuse org>
Date: Wed, 05 Aug 2009 11:12:32 -0700

On 8/5/09 9:48 AM, John Levine wrote:

Other than DNSSEC, I'm aware of these relatively simple hacks to add
entropy to DNS queries.

1) Random query ID

2) Random source port

3) Random case in queries, e.g. GooGLe.CoM

4) Ask twice (with different values for the first three hacks) and
compare the answers

DNSSEC introduces vulnerabilities, such as reflected attacks andfragmentation related exploits that might poison glue, where perhapsasking twice might still be needed.

Modern implementations use random 16 bit transaction IDs. InterposedNATs may impair effectiveness of random source ports. Use of randomquery cases may not offer an entropy increase in some instances. Askingtwice, although doubling resource consumption and latency, offers anincrease in entropy that works best when queried serially.

Establishing SCTP as a preferred DNS transport offers a safe harbor formajor ISPs. SCTP protects against both spoofed and reflected attack.Use of persistent SCTP associations can provide lower latency than thatfound using TCP fallback, TCP only, or repeated queries. SCTP alsobetter deals with attack related congestion.

Once UDP is impaired by EDNS0 response sizes that exceed reassemblyresources, or are preemptively dropped as a result, TCP must thendramatically scale up to offer the resilience achieved by UDP anycast.In this scenario, SCTP offers several benefits. SCTP retainsinitialization state within cryptographically secured cookies, whichprovides significant protection against spoofed source resourceexhaustion. By first exchanging cookies, the network extends serverstate storage. SCTP also better ensures against cache poisoning whetherDNSSEC is used or not.

Having major providers support the SCTP option will mitigate disruptionscaused by DNS DDoS attacks using less resources. SCTP will alsoencourage use of IPv6, and improve proper SOHO router support. WhenSCTP becomes used by HTTP, this further enhances DDoS resistance foreven critical web related services as well.


-Doug

Current thread:

Re: dnscurve and DNS hardening, was Re: Dan Kaminsky, (continued)
- - - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Naveen Nathan (Aug 05)
    - RE: dnscurve and DNS hardening, was Re: Dan Kaminsky Skywing (Aug 05)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Ben Scott (Aug 05)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Naveen Nathan (Aug 05)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Alexander Harrowell (Aug 06)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Ben Scott (Aug 07)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Tony Finch (Aug 06)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky John R. Levine (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Roland Dobbins (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky Paul Jakma (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 06)

(Thread continues...)