North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: DNS was Re: Internet Vulnerabilities
- From: Brad Knowles
- Date: Mon Jul 15 11:49:38 2002
At 9:07 AM +0200 2002/07/15, Måns Nilsson quoted Simon Waters
<Simon@wretched.demon.co.uk> as saying:
would guess the "." zone probably isn't that large in absolute
terms, so large ISPs (NANOG members ?) could arrange for their
recursive servers to act as private secondaries of ".", thus
eliminating the dependence on the root servers entirely for a
large chunks of the Internet user base.
1266 A records
1243 NS records
1 SOA record
1 TXT record
Currently, B, C, & F are open to zone transfers.
I think the kinds of zones being handled by the gtld-servers
would be harder to relocate, if only due to size, although the
average NANOG reader probably has rather more bandwidth
available than I do, they may not have the right kind of spare
capacity on their DNS servers to secondary ".com" at short
Edu is pretty good size:
17188 NS records
5514 A records
1 SOA record
1 TXT record
A complete zone transfer comprises some 1016491 bytes.
I disagree. This is only going to help those ISPs that are
clued-in enough to act as a stealth secondary of the zone, and then
only for those customers that will be using their nameservers as
caching/recursive servers, or have their own caching/recursive
servers forward all unknown queries to their ISPs. I'm sorry, but
that's a vanishingly small group of people, and will have little or
no measurable impact.
All I think root server protection requires is someone with
access to the relevant zone to make it available through other
channels to large ISPs. There is no technical reason why key DNS
infrastructure providers could not implement such a scheme on
their own recursive DNS servers now, and it would offer to
reduce load on both their own, and the root DNS servers and
Better would be for the root nameservers to do per-IP address
throttling. If you send them too many queries in a given period of
time, they can throw away any excess queries. This prevents people
from running tools like queryperf on a constant basis from
excessively abusing the server.
Indeed, some root nameservers are already doing per-IP address throttling.
Keep in mind that some ccTLDs are pretty good size themselves.
The largest domain I've been able to get a zone transfer of is .tv,
comprising some 20919120 bytes of data -- 381812 NSes, 72694 A RRs,
5754 CNAMEs, and 3 MXes.
In practical terms I'd be more worried about smaller attacks
against specific CC domains, I could imagine some people seeing
disruption of "il" as a more potent (and perhaps less globally
unpopular) political statement, than disrupting the whole
Any zone that is served by a system that is both authoritative
and public caching/recursive is wide-open for cache-poisoning attacks
-- such as any zone served by nic.lth.se [18.104.22.168].
Who said that the root nameservers were geographically diverse?
I don't think the situation has changed much since the list at
created. I don't call this geographically diverse.
Similarly an attack on a commercial subdomain in a
specific country could be used to make a political statement,
but might have significant economic consequences for some
companies. Attacking 3 or 4 servers is far easier than attacking
13 geographically diverse, well networked, and well protected
Except for the performance issues, IMO ccTLDs should be held to
the same standards of operation as the root nameservers, and thus
subject to RFC 2010 "Operational Criteria for Root Name Servers" by
B. Manning, P. Vixie and RFC 2870 "Root Name Server Operational
Requirements" by R. Bush, D. Karrenberg, M. Kosters, & R. Plzak.
I definitely agree. ccTLDen are in very varying states of security
awareness, and while I believe .il is aware and prepared, other
conflict zone domains might not be...
Those of you who are interested in this topic may want to drop in
on my invited talk "Domain Name Server Comparison: BIND 8 vs. BIND 9
vs. djbdns vs. ???" at LISA 2002. Root & TLD server issues will
figure heavily in comparison. ;-)
Brad Knowles, <email@example.com>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.