[dns-operations] DNS "security" and DDoS attacks
George Barwood
george.barwood at blueyonder.co.uk
Mon Mar 29 15:04:07 UTC 2010
----- Original Message -----
From: "Jim Reid" <jim at rfc1035.com>
To: "George Barwood" <george.barwood at blueyonder.co.uk>
Cc: "Dobbins, Roland" <rdobbins at arbor.net>; <dns-operations at mail.dns-oarc.net>
Sent: Monday, March 29, 2010 3:32 PM
Subject: DNS "security" and DDoS attacks
> On 29 Mar 2010, at 14:48, George Barwood wrote:
>
>> Securing the transmission channel has many security benefits
>
> Define what you mean by "securing the transmission channel"
Encrypting and authenticating each packet, for example
http://tools.ietf.org/html/draft-barwood-dnsext-dns-transport-17#section-3.8
>> in particular it stops various denial of service attacks.
>
> Nope. It's just not possible to prevent DoS attacks on DNS because of
> the fundamental nature of what the DNS is: an open and globally
> pervasive infrastructure. The only way to prevent DoS attacks would be
> to stop people using the DNS.
You cannot stop ALL attacks, but there is a class of attacks that can be stopped
with relatively low administrative cost which DNSSEC in it's present form does not address.
Besides this example, there is also privacy, and network level replay attacks
( signatures typically remain valid for a few days ), which are prevented by
channel security.
More information about the dns-operations
mailing list