[dns-operations] Bailiwick stats? Idea for mitigation...
brett at the-watsons.org
Sun Aug 10 00:29:47 UTC 2008
On Aug 9, 2008, at 4:02 PM, Brian Dickson wrote:
> Thinking along the lines of things that rdns servers can do
> unilaterally to improve forgery resilience...
> Do we know what typical percentage of queries a rdns box is likely
> to receive, of sub-domains of in-cache domains (which are not
> themselves cached), versus all other queries?
> What I'm thinking is, when such a query is seen, even without
> checking TXID/QID mismatches, just always require two identical
> answers at each (external, non-cached) step of the recursive
> resolution process, using UDP.
> With randomized ports per query, this effectively doubles the number
> of entropy bits, albeit at a performance hit of 2x, but only for
> those non-cached domains underneath cached domains.
But what happens when the attackers start launching large scale
dictionary attacks (ie. NXDOMAIN answers, non-cached)... the 2x factor
gets pretty ugly?
> The question is, what is the *actual* performance penalty? If the
> client-side percentage of such queries is low, like 20%, then the 2x
> penalty would only add 20% to the load, whilst going a long way
> towards making such attacks infeasible.
Under nominal circumstances though, this seems somewhat reasonable.
More information about the dns-operations