[dns-operations] dns-operations at lists.dns-oarc.net
Patrick W. Gilmore
patrick at ianai.net
Wed May 9 15:18:26 UTC 2012
On May 9, 2012, at 10:56 , Chris Adams wrote:
> Once upon a time, Patrick W. Gilmore <patrick at ianai.net> said:
>> If you are looking for DDoS resilience, the answer is not "X times normal". A DDoS is not a multiple of your normal traffic, it is whatever the botnet can throw at you.
> The OP asked about caching DNS servers.
The OP did, the later posts did not. Either way, the above still stands.
> In general, you should only be
> providing caching DNS services to your own network, not the Internet at
> large. Inside your network, you should be implementing BCP38; you
> shouldn't have to deal with spoofing within your own network.
Would that the world implemented BCP38. I get so tired of people saying "BCP38 doesn't matter any more, no one spoofs, botnets use their own IP addresses!" My reply to such comments is not proper for polite (or public) discussion. If you believe that, email me privately and I shall try to explain nicely why you are very, very, very, very, very confused.
Making your own network clean, which is a VERY GOOD IDEA AND EVERYONE SHOULD DO IT, does not stop other networks spoofing. And while people frequently say CNSes should only answer for their own network, most eyeball networks leave their CNSes open because users travel and it causes support calls (read: "costs money") when the name server fails for those users. If the CNSes are open, spoofed packets matter.
If you do not leave your CNSes open, more power to you. At that point, depending on what is discussed below, "X times normal" may work.
> At that point, random botnets are not the problem. If you get an
> excessive number of queries from a customer, you can shut off the
> customer (because either they have broken software or they're infected).
If you have a significant fraction of users p0wned, you are screwed. Rate limit individual users (which may not be easy, depending on your setup) and you will be inundated with calls because a bunch of users think the Internet is down. Don't rate limit and your DNS will go down anyway.
The only solution? Have enough capacity to all the queries. Which does not mean "X times normal".
Sucks, but there it is.
More information about the dns-operations