[dns-operations] Another whitepaper on DDOS
vjs at rhyolite.com
Thu Feb 21 18:47:53 UTC 2013
> From: Jeff Wright <jwright at isc.org>
On one hand, it
- gets significant bits of history wrong, such as the claim that
SSL had nothing to do with authentication and authorization
until EV certificates. If confidentiality ("encryption") were
the sole point of SSL, then SSL would have gone straight to a
DH exchange and done no public key computing. EV would not be
a minor elaboration of the old, widely used PKI. (page 15)
- urges the use of "DNS Authentication." I guess "DNS authentication
[would work] to ensure that source queries to a DNS server ...
are in fact coming from a valid host" if you can find and deploy
DNS stub resolvers that support DNS authentication and then deploy
them. I think that's practically impossible for the forseeable
futgure. It might instead be referring to ACLs in servers and
relying on IP source addresses as authentication tokens, but that
would be almost as lame. (page 6)
- advocates naive and so bad query rate limiting and separate
NXDOMAIN rate limiting. It should have mentioned RRL. (page 6)
- advoctees applying RexEx's and packet capture for no purpose.
Looking for text in DNS packets will find lots of it separated
by what look like ASCII control characters. Unless you have a
specific target, you're unlikely to do more than waste time by
manually staring at packets for any port. (page 6)
On the other hand, those are all minor nits and mostly reflect
my prejudiced and overly strict reading.
Overall, I found it innocuous and entertaining.
If it seems revolutionary or eye opening and you have relevant
responsibilities, then you urgently need more than any such document
Vernon Schryver vjs at rhyolite.com
More information about the dns-operations