[dns-operations] First experiments with DNS dampening to fight amplification attacks

bert hubert bert.hubert at netherlabs.nl
Fri Sep 28 07:44:39 UTC 2012


On Fri, Sep 28, 2012 at 09:17:42AM +0200, Dan Luedtke wrote:
> When an IP address is blocked, we still answer to it, but only once[1].
> Regardless of what the query is, we answer:
> 
> 	TXT "temporary_blocked <challenge_1> <challenge_2>"

Hmmm for authoritative servers, we might also emit a CNAME "challenge". This
would be a needless and semantically null transition, but only a bona fide
resolver will come back to follow the CNAME trail.

This allows us to test for two-way communications without using truncated
packets or TCP.

We could encode the encrypt the correct destination in the CNAME, for A and
AAAA this is trivial. If you come back to resolve
encoded-12.32.43.43.attackeddomain.com, you get 12.32.43.43 etc. For extra
resilience encrypt it.

I did not think this through too deeply, but what do people think?

	Bert



More information about the dns-operations mailing list