[dns-operations] NS selection in bind
Michael Graff
mgraff at isc.org
Fri Sep 17 22:14:35 UTC 2010
I believe that is correct. It's been a while since u examined this code closely.
I also believe 9.6 was the first to implement banding but I would have to check to be certain it was not backported to older release branches.
--Michael (from an iPhone)
On Sep 17, 2010, at 15:08, Ricardo Oliveira <rvelosoo at gmail.com> wrote:
> Michael,
>
> Thanks for the info. I assume than that when you have 2 bands, you only use the slowest band when _all_ servers in the first band are down? (and servers within each band are randomly picked)
>
> Also, just to confirm, the selection algo before 9.6 was to just pick the server with lowest RTT (no bands)
>
> Thanks!
>
> --Ricardo
>
> On Sep 17, 2010, at 5:55 AM, Michael Graff wrote:
>
>> On 9/17/10 4:53 AM, Ricardo Oliveira wrote:
>>
>>> Does anyone in this list knows more details about this change short of
>>> looking at the source code?
>>> How often are RTTs randomly changed, on every query?
>>> Is the value picked randomly between 0 and 128ms?
>>
>> This is referred to (by us anyway) as RTT banding.
>>
>> That is, we break the RTT response times from servers into 128ms groups,
>> so anything 0-127ms will be considered "the same" while anything
>> 128-255ms will be "the same" for random selection.
>>
>> The purpose is to make it harder to know which of several reasonably
>> speedy servers are likely to be responded to, so a brute force flood
>> attack is harder.
>>
>> This was one of many mitigation techniques, along with source port
>> randomization, to defend against such.
>>
>> --Michael
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list