[dns-operations] Too Open (Was: OpenDNS makes your Internet work better
davidu at everydns.net
Tue Jul 11 16:53:15 UTC 2006
On Jul 11, 2006, at 9:36 AM, Roy Arends wrote:
> On Mon, 10 Jul 2006, David Ulevitch wrote:
>> On Jul 10, 2006, at 1:59 PM, Stephane Bortzmeyer wrote:
>>> On Mon, Jul 10, 2006 at 01:53:58PM -0700,
>>> Rick Wesson <wessorh at ar.com> wrote
>>> a message of 36 lines which said:
>>>> The ORNs discussed in the papers you reference below are for the
>>>> most part ones that are open but not managed as open. ie their
>>>> managers think that they are closed but in fact are not. These [in
>>>> mass] do pose a threat.
>>>> OpenDNS is supposed to be open, its in their name. The ORNs are not
>>>> supposed to be open but that are.
>>> Correct but what does it change in practice. OpenDNS knows that
>>> it is open, but how does it make it less vulnerable?
>>> Do they implement rate-limiting, for instance?
>> I actually thought Rick's answer was pretty much perfect. But I'll
>> add some comments now:
>> There's a lot you can do when you are running an anycasted recursive
>> nameserver to detect things happening in flash-mob style and in the
>> Please think about this idea for a while before responding.
> ORNs can be abused to victimize _others_.
I think we all know the issue with ORNs and the attacks that have
been launched using them. This is part of my motivation in launching
Surely you know that.
> It is trivial to send requests to an Open Recursive Nameserver like
> OpenDNS, with a source address of some victim.
It's also trivial to know if you've seen requests from that source
address before. It's also possible to know average traffic patterns
for qname's and RDLENGTH, etc. Actually, it's not trivial, it's
really hard. But it's doable. Maybe not with BIND. Then again,
we're not running BIND,
We've written software that was written for our network and our
userbase. I'm sure there are bugs, but there are also fixes. A
secure DNS needs more than just a patched copy of source code, it
> Imagine a recruited army of 50K clients, sending requests to a list of
> ORNs at a rate of 10K requests per client, all with the same spoofed
> source address asking for large responses (say the root NS set).
> This will
> cause a steady stream of 250K traffic to a victim. This is not theory.
> This caused major incidents.
Why not look at solutions that incorporate IP rate-limiting, Prefix
rate-limiting, RDATA response size filtering. Tuples of TYPE, RDATA
and SRC_ADDR that distinguish changes in normal behavior can become
extremely effective at not just mitigating attacks but determining
If you want advice on how to secure a recursive dns server, let's
have that discussion.
In fact, I can't imagine a reason why you wouldn't use OpenDNS. It
does seem like the typo-correction has stirred discussion on the
wrong path in a few forums, I think we're gonna take care of that
one, hopefully by the end of the week. :-)
> dns-operations mailing list
> dns-operations at lists.oarci.net
More information about the dns-operations