[dns-operations] Bailiwick stats? Idea for mitigation...

brett watson brett at the-watsons.org
Sun Aug 10 00:29:47 UTC 2008

On Aug 9, 2008, at 4:02 PM, Brian Dickson wrote:

> Thinking along the lines of things that rdns servers can do  
> unilaterally to improve forgery resilience...
> Do we know what typical percentage of queries a rdns box is likely  
> to receive, of sub-domains of in-cache domains (which are not  
> themselves cached), versus all other queries?
> What I'm thinking is, when such a query is seen, even without  
> checking TXID/QID mismatches, just always require two identical  
> answers at each (external, non-cached) step of the recursive  
> resolution process, using UDP.
> With randomized ports per query, this effectively doubles the number  
> of entropy bits, albeit at a performance hit of 2x, but only for  
> those non-cached domains underneath cached domains.

But what happens when the attackers start launching large scale  
dictionary attacks (ie. NXDOMAIN answers, non-cached)... the 2x factor  
gets pretty ugly?

> The question is, what is the *actual* performance penalty? If the  
> client-side percentage of such queries is low, like 20%, then the 2x  
> penalty would only add 20% to the load, whilst going a long way  
> towards making such attacks infeasible.

Under nominal circumstances though, this seems somewhat reasonable.


More information about the dns-operations mailing list