[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems

On Tue, Mar 26, 2013 at 07:07:16PM -0700, Tom Paseka wrote:
> On Tue, Mar 26, 2013 at 7:04 PM, Matthew Petach <mpetach at netflight.com>wrote:
> > On Tue, Mar 26, 2013 at 6:06 PM, John Levine <johnl at iecc.com> wrote:
> > >>As a white-hat attempting to find problems to address through legitimate
> > means, how
> > >>do you ?
> > >
> > > You make friends with people with busy authoritative servers and see
> > > who's querying them.
> >
> > I'm confused.  Don't most authoritative servers have to
> > answer to just about anyone in order to be useful?
> >
> > Matt
> >
> Authoritative DNS servers need to implement rate limiting. (a client
> shouldn't query you twice for the same thing within its TTL).

unbound with it's dns-prefetching queries a dns servers again in I think the last 10% of ttl when
returning hit to client to refresh ttl and keep it current.

To me this doesn't seem excessive, and will improve performance for regularly accessed sites with
short ttls which are quite common now (google, facebook, etc)

It'd break if doing that extreme rate limiting.  But so would things like rebooting a dns server,
I think if rate limiting is done it has to be on the leniant side.

Also how do you know that the dns resolver got a successful reply?   Just because you've received
a packet from a client doesn't mean that you can reach the client.  So if there's one way traffic
or excessive dual way packet loss the chances of prematurely blocking clients and creating longer
outages is too great.

That said, a lot of these amplifications attacks use ANY requests, which normal clients don't.  And
those could be rate limited down without effecting normal traffic I'm sure.