[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems

On 3/28/13, Ben Aitchison <ben at meh.net.nz> wrote:
> On Tue, Mar 26, 2013 at 07:07:16PM -0700, Tom Paseka wrote:
>> Authoritative DNS servers need to implement rate limiting. (a client
>> shouldn't query you twice for the same thing within its TTL).

The RFC doesn't say that is a should; a client MAY only query you once
for a record within its TTL;  the TTL is the duration after which the
entry /must/ be expunged from the cache,  it is an allowed maximum,
not a minimum lifetime.

A client may query plenty of times within its TTL. Sufficiently low
rate limits on the authoritative would open the possibility of new
kinds of attacks.

If the authoritative DNS server decides to limit its rate of response,
this might be used to conduct a DoS  against the recursive
nameserver's ability to lookup queries against the authoritative NS
applying the limit.
This could be leveraged remotely through a malicious website,  remote
loading  bad image URLs from a significant number of non-existent
subdomains,  causing the rate limit to be attained.

This may also be used to facilitate cache poisoning  against
legitimate recursors, targeting the domain whose authoritative servers
apply a strict limit,  by intentionally causing the recursor to make
the maximum  number of queries allowed,  before sending spoofed

Especially a client that answers many different queries for a large
number of clients and has limited cache sizes  may query many times
within a TTL.

The average record cache lifetime might be  15 to 40 seconds (with as
low as 1 second in cases),  even if the record TTL is 86400.

Or the cache may be manually flushed by the operator, in order to have
a local DNS record change take effect more immediately  (since most
resolvers do not provide an admin command to flush only one zone from
their cache).

No guarantee is made about the size of the client's cache, number of
records, or the client's cache aging policy.     The response may be
discarded or aged out, well before its TTL has elapsed.

There may be other 'more popular'  records on the same DNS resolver
that are retained in the cache until TTL.

Additional queries may be issued as a cache-poisoning avoidance mechanism.

The same DNS servers might get queried multiple times successively for
different records within the same zone.

> unbound with it's dns-prefetching queries a dns servers again in I think the
> last 10% of ttl when
> returning hit to client to refresh ttl and keep it current.