[dns-operations] on amplification, udp, and dns

Edward Lewis Ed.Lewis at neustar.biz
Thu Mar 23 19:01:12 UTC 2006

Sometimes it seems to me that the only way to prevent DNS's use of 
UDP as a tool for amplification is to require that queries be almost 
as big, or perhaps even bigger than, responses.

Closing down open recursive servers only shuts down one amplification 
path, but one that today is significant because the number of open 
resolvers out there is much larger than the number of authoritative 
servers with large data sets.

But if DNSSEC (a desirable thing to quite a few folks) gets to 
widespread deployment, then there will be many authoritative servers 
that will be available for amplification services.  What a dilemma, 
improving the security of DNS makes DNS a more valuable tool for DDoS.

EDNS0 opens up the message size is needed for DNSSEC, IPv6 glue, and 
then NATPR record in ENUM.  But then again, this improvement 
facilitates amplification.

This does not make me happy.
Edward Lewis                                                +1-571-434-5468

Nothin' more exciting than going to the printer to watch the toner drain...

More information about the dns-operations mailing list