North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS was Re: Internet Vulnerabilities

  • From: Brad Knowles
  • Date: Mon Jul 15 11:49:38 2002

At 9:07 AM +0200 2002/07/15, Måns Nilsson quoted Simon Waters
<Simon@wretched.demon.co.uk> as saying:

 I
 would guess the "." zone probably isn't that large in absolute
 terms, so large ISPs (NANOG members ?) could arrange for their
 recursive servers to act as private secondaries of ".", thus
 eliminating the dependence on the root servers entirely for a
 large chunks of the Internet user base.
	1266 A records
	1243 NS records
	1 SOA record
	1 TXT record

	Currently, B, C, & F are open to zone transfers.


 I think the kinds of zones being handled by the gtld-servers
 would be harder to relocate, if only due to size, although the
 average NANOG reader probably has rather more bandwidth
 available than I do, they may not have the right kind of spare
 capacity on their DNS servers to secondary ".com" at short
 notice.
	Edu is pretty good size:

		17188 NS records
		 5514 A records
		    1 SOA record
		    1 TXT record

	A complete zone transfer comprises some 1016491 bytes.

 All I think root server protection requires is someone with
 access to the relevant zone to make it available through other
 channels to large ISPs. There is no technical reason why key DNS
 infrastructure providers could not implement such a scheme on
 their own recursive DNS servers now, and it would offer to
 reduce load on both their own, and the root DNS servers and
 networks.
I disagree. This is only going to help those ISPs that are clued-in enough to act as a stealth secondary of the zone, and then only for those customers that will be using their nameservers as caching/recursive servers, or have their own caching/recursive servers forward all unknown queries to their ISPs. I'm sorry, but that's a vanishingly small group of people, and will have little or no measurable impact.

Better would be for the root nameservers to do per-IP address throttling. If you send them too many queries in a given period of time, they can throw away any excess queries. This prevents people from running tools like queryperf on a constant basis from excessively abusing the server.

Indeed, some root nameservers are already doing per-IP address throttling.

 In practical terms I'd be more worried about smaller attacks
 against specific CC domains, I could imagine some people seeing
 disruption of "il" as a more potent (and perhaps less globally
 unpopular) political statement, than disrupting the whole
 Internet.
Keep in mind that some ccTLDs are pretty good size themselves. The largest domain I've been able to get a zone transfer of is .tv, comprising some 20919120 bytes of data -- 381812 NSes, 72694 A RRs, 5754 CNAMEs, and 3 MXes.

Any zone that is served by a system that is both authoritative and public caching/recursive is wide-open for cache-poisoning attacks -- such as any zone served by nic.lth.se [130.235.20.3].

 Similarly an attack on a commercial subdomain in a
 specific country could be used to make a political statement,
 but might have significant economic consequences for some
 companies. Attacking 3 or 4 servers is far easier than attacking
 13 geographically diverse, well networked, and well protected
 servers.
Who said that the root nameservers were geographically diverse? I don't think the situation has changed much since the list at <http://www.icann.org/committees/dns-root/y2k-statement.htm> was created. I don't call this geographically diverse.

 I definitely agree. ccTLDen are in very varying states of security
 awareness, and while I believe .il is aware and prepared, other
 conflict zone domains might not be...
Except for the performance issues, IMO ccTLDs should be held to the same standards of operation as the root nameservers, and thus subject to RFC 2010 "Operational Criteria for Root Name Servers" by B. Manning, P. Vixie and RFC 2870 "Root Name Server Operational Requirements" by R. Bush, D. Karrenberg, M. Kosters, & R. Plzak.


Those of you who are interested in this topic may want to drop in on my invited talk "Domain Name Server Comparison: BIND 8 vs. BIND 9 vs. djbdns vs. ???" at LISA 2002. Root & TLD server issues will figure heavily in comparison. ;-)

--
Brad Knowles, <brad.knowles@skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.