[dns-operations] First experiments with DNS dampening to fight amplification attacks
matthaeus.wander at uni-due.de
Fri Sep 28 15:16:03 UTC 2012
* bert hubert [2012-09-28 09:44]:
> Hmmm for authoritative servers, we might also emit a CNAME "challenge". This
> would be a needless and semantically null transition, but only a bona fide
> resolver will come back to follow the CNAME trail.
> This allows us to test for two-way communications without using truncated
> packets or TCP.
> We could encode the encrypt the correct destination in the CNAME, for A and
> AAAA this is trivial. If you come back to resolve
> encoded-188.8.131.52.attackeddomain.com, you get 184.108.40.206 etc. For extra
> resilience encrypt it.
There has been recently a patent granted with this method:
Though they don't use it do decide about blocking, but use the CNAME
challenge on every query, still providing a small amplification. This
comes at the risk of running into resolver issues with NS or MX records...
Bismarckstr. 90 / BC 316
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5156 bytes
Desc: S/MIME Kryptografische Unterschrift
More information about the dns-operations