[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNS noise

Subject: DNS noise
From: drc at virtualized.org (David Conrad)
Date: Fri, 6 Apr 2012 11:24:18 -0700
In-reply-to: <CAAAwwbUvs0u8t7JWvM=4j2nTkXzzFKfCifK=q=PaZCpEY=EtXQ@mail.gmail.com>
References: <8C26A4FDAE599041A13EB499117D3C287CA17C7F@EX-MB-1.corp.atlasnetworks.us> <[email protected]> <CAAAwwbUvs0u8t7JWvM=4j2nTkXzzFKfCifK=q=PaZCpEY=EtXQ@mail.gmail.com>

On Apr 6, 2012, at 11:13 AM, Jimmy Hess wrote:
>> It turns out that DNSSEC makes a respectable traffic amplification vector:
> This is definitely a problem.

Yep.  So are SNMP reflection attacks (biggest attack I've seen was one of these) and any other datagram-oriented query/response protocol.

> Unfortunately, what really should happen is DNSSEC should be revised, to,
> either make sure that the client initiating the query has to either do more
> work than the server, or make a round trip before the DNSSEC data can
> be requested.

Treating a symptom and ignoring the disease. See http://tools.ietf.org/html/bcp38

> One way of accomplishing that would be to indicate that DNSSEC data
> can be transmitted only over DNS when using TCP;  

I suspect the root server operators might not like this idea very much.

Regards,
-drc

Follow-Ups:
- DNS noise
  - From: mysidia at gmail.com (Jimmy Hess)

References:
- DNS noise
  - From: nathan at atlasnetworks.us (Nathan Eisenberg)
- DNS noise
  - From: nick at foobar.org (Nick Hilliard)
- DNS noise
  - From: mysidia at gmail.com (Jimmy Hess)

Prev by Date: DNS noise
Next by Date: SORBS?!
Previous by thread: DNS noise
Next by thread: DNS noise
Index(es):
- Date
- Thread