[dns-operations] DNS deluge for x.p.ctrc.cc
Mark Andrews
Mark_Andrews at isc.org
Mon Feb 27 00:28:18 UTC 2006
> Roland Dobbins wrote:
> > I wasn't talking about just smurf-like with that type of
> > amplification effect, nor just tricks like asking for 4K TXT records,
> > etc.; rather, some interesting logical relationships that Dan and
> > Mike have uncovered between some open recursive nameservers and
> > heretofore unknown resolvers of one flavor or another.
>
> I have a question someone here may be able to answer...
>
> Rob mentioned earlier these should be limited to 512 ATM, as a best
> practice - and as far as I see it, a band-aid stop-gap effort.... which
> makes sense.
We are already exceeding the limits of plain DNS for referrals
from the root servers. Do you really want to break all the
EDNS aware caching servers in the world?
; <<>> DiG 8.3 <<>> +norec +dnssec www.microsoft.com @a.root-servers.net
; (1 server found)
;; res options: init defnam dnsrch dnssec
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6736
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16
;; QUERY SECTION:
;; www.microsoft.com, type = A, class = IN
;; AUTHORITY SECTION:
com. 2D IN NS A.GTLD-SERVERS.NET.
com. 2D IN NS G.GTLD-SERVERS.NET.
com. 2D IN NS H.GTLD-SERVERS.NET.
com. 2D IN NS C.GTLD-SERVERS.NET.
com. 2D IN NS I.GTLD-SERVERS.NET.
com. 2D IN NS B.GTLD-SERVERS.NET.
com. 2D IN NS D.GTLD-SERVERS.NET.
com. 2D IN NS L.GTLD-SERVERS.NET.
com. 2D IN NS F.GTLD-SERVERS.NET.
com. 2D IN NS J.GTLD-SERVERS.NET.
com. 2D IN NS K.GTLD-SERVERS.NET.
com. 2D IN NS E.GTLD-SERVERS.NET.
com. 2D IN NS M.GTLD-SERVERS.NET.
;; ADDITIONAL SECTION:
A.GTLD-SERVERS.NET. 2D IN AAAA 2001:503:a83e::2:30
A.GTLD-SERVERS.NET. 2D IN A 192.5.6.30
G.GTLD-SERVERS.NET. 2D IN A 192.42.93.30
H.GTLD-SERVERS.NET. 2D IN A 192.54.112.30
C.GTLD-SERVERS.NET. 2D IN A 192.26.92.30
I.GTLD-SERVERS.NET. 2D IN A 192.43.172.30
B.GTLD-SERVERS.NET. 2D IN AAAA 2001:503:231d::2:30
B.GTLD-SERVERS.NET. 2D IN A 192.33.14.30
D.GTLD-SERVERS.NET. 2D IN A 192.31.80.30
L.GTLD-SERVERS.NET. 2D IN A 192.41.162.30
F.GTLD-SERVERS.NET. 2D IN A 192.35.51.30
J.GTLD-SERVERS.NET. 2D IN A 192.48.79.30
K.GTLD-SERVERS.NET. 2D IN A 192.52.178.30
E.GTLD-SERVERS.NET. 2D IN A 192.12.94.30
M.GTLD-SERVERS.NET. 2D IN A 192.55.83.30
; EDNS: version: 0, udp=4096, flags=0000
;; Total query time: 252 msec
;; FROM: drugs.dv.isc.org to SERVER: 198.41.0.4
;; WHEN: Mon Feb 27 11:02:38 2006
;; MSG SIZE sent: 46 rcvd: 534
And if we could just add the AAAA for the IPv6 enabled root
servers the priming query would be something like this.
; <<>> DiG 8.3 <<>> ns . +dnssec +norec
;; res options: init defnam dnsrch dnssec
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55871
;; flags: qr ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 19
;; QUERY SECTION:
;; ., type = NS, class = IN
;; ANSWER SECTION:
. 2d13h9m16s IN NS J.ROOT-SERVERS.NET.
. 2d13h9m16s IN NS K.ROOT-SERVERS.NET.
. 2d13h9m16s IN NS L.ROOT-SERVERS.NET.
. 2d13h9m16s IN NS M.ROOT-SERVERS.NET.
. 2d13h9m16s IN NS A.ROOT-SERVERS.NET.
. 2d13h9m16s IN NS B.ROOT-SERVERS.NET.
. 2d13h9m16s IN NS C.ROOT-SERVERS.NET.
. 2d13h9m16s IN NS D.ROOT-SERVERS.NET.
. 2d13h9m16s IN NS E.ROOT-SERVERS.NET.
. 2d13h9m16s IN NS F.ROOT-SERVERS.NET.
. 2d13h9m16s IN NS G.ROOT-SERVERS.NET.
. 2d13h9m16s IN NS H.ROOT-SERVERS.NET.
. 2d13h9m16s IN NS I.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 1d23h50m43s IN A 198.41.0.4
B.ROOT-SERVERS.NET. 1H IN A 192.228.79.201
C.ROOT-SERVERS.NET. 6d23h58m16s IN A 192.33.4.12
D.ROOT-SERVERS.NET. 6d23h58m23s IN A 128.8.10.90
E.ROOT-SERVERS.NET. 6d23h58m28s IN A 192.203.230.10
F.ROOT-SERVERS.NET. 1H IN A 192.5.5.241
G.ROOT-SERVERS.NET. 6d23h58m41s IN A 192.112.36.4
H.ROOT-SERVERS.NET. 1H IN A 128.63.2.53
I.ROOT-SERVERS.NET. 6d23h59m2s IN A 192.36.148.17
J.ROOT-SERVERS.NET. 6d23h59m7s IN A 192.58.128.30
K.ROOT-SERVERS.NET. 1H IN A 193.0.14.129
L.ROOT-SERVERS.NET. 6d23h59m20s IN A 198.32.64.12
M.ROOT-SERVERS.NET. 1H IN A 202.12.27.33
B.ROOT-SERVERS.NET. 1H IN AAAA 2001:478:65::53
F.ROOT-SERVERS.NET. 1H IN AAAA 2001:500::1035
H.ROOT-SERVERS.NET. 1H IN AAAA 2001:500:1::803f:235
K.ROOT-SERVERS.NET. 1H IN AAAA 2001:7fd::1
M.ROOT-SERVERS.NET. 1H IN AAAA 2001:dc3::35
; EDNS: version: 0, udp=1460, flags=8000
;; Total query time: 1 msec
;; FROM: drugs.dv.isc.org to SERVER: 127.0.0.1
;; WHEN: Mon Feb 27 11:09:25 2006
;; MSG SIZE sent: 28 rcvd: 587
> Some (I think it was Bill?) said this can kill some applications such as
> DNS-SEC, now.. not to nitpick but I don't exactly see DNS-SEC around.
The current RFC's were only finalised mid last year. There is
a small amount of deployment happening. Did you really expect
wide spread deployment immediately?
> What other applications using larger packets would it break?
>
> How large would the packets for these applications be? Surely if they
> are, say, 1024, it's better than 4 K's.
> :)
For DNSSEC you need > 2048. For IPv6 only you could get away
with 1500. For DNSSEC + IPv6 you start to go close to 4k.
> Also, wasn't the problem packet fragmentation? What am I missing?
The basic problem is that UDP it too easy to spoof and there
are still way too many networks that don't do source address
filtering of the packets leaving their networks.
DNS just happens to be a wide spread protocol based on UDP
where the responses are bigger than the queries. Even if
you block all the non-local recursive queries there are
still enough authoritative servers with big RRsets that you
can query for.
Mark
> Thanks,
>
> Gadi.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list