[dns-operations] DNS deluge for x.p.ctrc.cc

Mark Andrews Mark_Andrews at isc.org
Mon Feb 27 00:28:18 UTC 2006 

> Roland Dobbins wrote:
> > I wasn't talking about just smurf-like with that type of  
> > amplification effect, nor just tricks like asking for 4K TXT records,  
> > etc.; rather, some interesting logical relationships that Dan and  
> > Mike have uncovered between some open recursive nameservers and  
> > heretofore unknown resolvers of one flavor or another.
> 
> I have a question someone here may be able to answer...
> 
> Rob mentioned earlier these should be limited to 512 ATM, as a best 
> practice - and as far as I see it, a band-aid stop-gap effort.... which 
> makes sense.
	
	We are already exceeding the limits of plain DNS for referrals
	from the root servers.  Do you really want to break all the
	EDNS aware caching servers in the world?

; <<>> DiG 8.3 <<>> +norec +dnssec www.microsoft.com @a.root-servers.net 
; (1 server found)
;; res options: init defnam dnsrch dnssec
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6736
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16
;; QUERY SECTION:
;;	www.microsoft.com, type = A, class = IN

;; AUTHORITY SECTION:
com.			2D IN NS	A.GTLD-SERVERS.NET.
com.			2D IN NS	G.GTLD-SERVERS.NET.
com.			2D IN NS	H.GTLD-SERVERS.NET.
com.			2D IN NS	C.GTLD-SERVERS.NET.
com.			2D IN NS	I.GTLD-SERVERS.NET.
com.			2D IN NS	B.GTLD-SERVERS.NET.
com.			2D IN NS	D.GTLD-SERVERS.NET.
com.			2D IN NS	L.GTLD-SERVERS.NET.
com.			2D IN NS	F.GTLD-SERVERS.NET.
com.			2D IN NS	J.GTLD-SERVERS.NET.
com.			2D IN NS	K.GTLD-SERVERS.NET.
com.			2D IN NS	E.GTLD-SERVERS.NET.
com.			2D IN NS	M.GTLD-SERVERS.NET.

;; ADDITIONAL SECTION:
A.GTLD-SERVERS.NET.	2D IN AAAA	2001:503:a83e::2:30
A.GTLD-SERVERS.NET.	2D IN A		192.5.6.30
G.GTLD-SERVERS.NET.	2D IN A		192.42.93.30
H.GTLD-SERVERS.NET.	2D IN A		192.54.112.30
C.GTLD-SERVERS.NET.	2D IN A		192.26.92.30
I.GTLD-SERVERS.NET.	2D IN A		192.43.172.30
B.GTLD-SERVERS.NET.	2D IN AAAA	2001:503:231d::2:30
B.GTLD-SERVERS.NET.	2D IN A		192.33.14.30
D.GTLD-SERVERS.NET.	2D IN A		192.31.80.30
L.GTLD-SERVERS.NET.	2D IN A		192.41.162.30
F.GTLD-SERVERS.NET.	2D IN A		192.35.51.30
J.GTLD-SERVERS.NET.	2D IN A		192.48.79.30
K.GTLD-SERVERS.NET.	2D IN A		192.52.178.30
E.GTLD-SERVERS.NET.	2D IN A		192.12.94.30
M.GTLD-SERVERS.NET.	2D IN A		192.55.83.30
; EDNS: version: 0, udp=4096, flags=0000

;; Total query time: 252 msec
;; FROM: drugs.dv.isc.org to SERVER: 198.41.0.4
;; WHEN: Mon Feb 27 11:02:38 2006
;; MSG SIZE  sent: 46  rcvd: 534

	And if we could just add the AAAA for the IPv6 enabled root
	servers the priming query would be something like this.

; <<>> DiG 8.3 <<>> ns . +dnssec +norec 
;; res options: init defnam dnsrch dnssec
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55871
;; flags: qr ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 19
;; QUERY SECTION:
;;	., type = NS, class = IN

;; ANSWER SECTION:
.			2d13h9m16s IN NS  J.ROOT-SERVERS.NET.
.			2d13h9m16s IN NS  K.ROOT-SERVERS.NET.
.			2d13h9m16s IN NS  L.ROOT-SERVERS.NET.
.			2d13h9m16s IN NS  M.ROOT-SERVERS.NET.
.			2d13h9m16s IN NS  A.ROOT-SERVERS.NET.
.			2d13h9m16s IN NS  B.ROOT-SERVERS.NET.
.			2d13h9m16s IN NS  C.ROOT-SERVERS.NET.
.			2d13h9m16s IN NS  D.ROOT-SERVERS.NET.
.			2d13h9m16s IN NS  E.ROOT-SERVERS.NET.
.			2d13h9m16s IN NS  F.ROOT-SERVERS.NET.
.			2d13h9m16s IN NS  G.ROOT-SERVERS.NET.
.			2d13h9m16s IN NS  H.ROOT-SERVERS.NET.
.			2d13h9m16s IN NS  I.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.	1d23h50m43s IN A  198.41.0.4
B.ROOT-SERVERS.NET.	1H IN A		192.228.79.201
C.ROOT-SERVERS.NET.	6d23h58m16s IN A  192.33.4.12
D.ROOT-SERVERS.NET.	6d23h58m23s IN A  128.8.10.90
E.ROOT-SERVERS.NET.	6d23h58m28s IN A  192.203.230.10
F.ROOT-SERVERS.NET.	1H IN A		192.5.5.241
G.ROOT-SERVERS.NET.	6d23h58m41s IN A  192.112.36.4
H.ROOT-SERVERS.NET.	1H IN A		128.63.2.53
I.ROOT-SERVERS.NET.	6d23h59m2s IN A  192.36.148.17
J.ROOT-SERVERS.NET.	6d23h59m7s IN A  192.58.128.30
K.ROOT-SERVERS.NET.	1H IN A		193.0.14.129
L.ROOT-SERVERS.NET.	6d23h59m20s IN A  198.32.64.12
M.ROOT-SERVERS.NET.	1H IN A		202.12.27.33
B.ROOT-SERVERS.NET.	1H IN AAAA	2001:478:65::53
F.ROOT-SERVERS.NET.	1H IN AAAA	2001:500::1035
H.ROOT-SERVERS.NET.	1H IN AAAA	2001:500:1::803f:235
K.ROOT-SERVERS.NET.	1H IN AAAA	2001:7fd::1
M.ROOT-SERVERS.NET.	1H IN AAAA	2001:dc3::35
; EDNS: version: 0, udp=1460, flags=8000

;; Total query time: 1 msec
;; FROM: drugs.dv.isc.org to SERVER: 127.0.0.1
;; WHEN: Mon Feb 27 11:09:25 2006
;; MSG SIZE  sent: 28  rcvd: 587

> Some (I think it was Bill?) said this can kill some applications such as 
> DNS-SEC, now.. not to nitpick but I don't exactly see DNS-SEC around.

	The current RFC's were only finalised mid last year.  There is
	a small amount of deployment happening.  Did you really expect
	wide spread deployment immediately?
 
> What other applications using larger packets would it break?
> 
> How large would the packets for these applications be? Surely if they 
> are, say, 1024, it's better than 4 K's.
> :)

	For DNSSEC you need > 2048.  For IPv6 only you could get away
	with 1500.  For DNSSEC + IPv6 you start to go close to 4k.
 
> Also, wasn't the problem packet fragmentation? What am I missing?

	The basic problem is that UDP it too easy to spoof and there
	are still way too many networks that don't do source address
	filtering of the packets leaving their networks.

	DNS just happens to be a wide spread protocol based on UDP
	where the responses are bigger than the queries.  Even if
	you block all the non-local recursive queries there are
	still enough authoritative servers with big RRsets that you
	can query for.

	Mark
 
> Thanks,
> 
> 	Gadi.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list