North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: large organization nameservers sending icmp packets to dns servers.
On Aug 8, 2007, at 12:11 PM, Paul Vixie wrote:
dotis@xxxxxxxxxxxxxx (Douglas Otis) writes:Ensuring an authoritative domain name server responds via UDP is a critical security requirement. TCP will not create the same risk of a resolver being poisoned, but a TCP connection will consume a significant amount of a name server's resources.
Wanting to understand this comment, I'll expand upon the quoted statement.
Resolver's factors affecting DNS security are: - selection of port and transaction IDs - restrictions on outstanding queries for same resource - limits on inbound bandwidth
Ignoring uncontrollable factors...
Authoritative server factors affecting security are: - time frame for an answer - duration of RR TTLs - number of servers
A short time frame for an answer along with longer TTLs are influenced by authoritative servers and also affect spoofing rates.
When DNS TCP is used, the transport sequence number further precludes a spoofed TCP answer from being accepted. When a truncated response is returned, TCP fallback may be attempted. When a TCP ICMP refusal is filtered or never sent, but TCP has been blocked, the timeframe alloted for spoofing could entail the entire TCP timeout. However, probability for successful spoofing includes an additional multiplier of 1 / 2^32. This reduction should sufficiently negate an additional timeout duration.
TCP requires state and introduces several additional exchanges for a given number of answers. Any effort related to poisoning will likely attempt to delay an answer by adding to the server's overhead. Precluding truncation, and thereby eliminating TCP, should favorably reduce server overhead and increase overall performance.
Of course, a more practical method would be to ensure sufficient DNS resources are available by increasing server resources. That said, how many domains allocate a couple of prior generation servers for DNS?