[dns-operations] Storm on the DNS
davew at hireahit.com
Tue Dec 1 03:33:37 UTC 2015
On 2015-11-30 19:07, Song Linjian (Davey) wrote:
> One question. In the monitoring page the red block means unanswered
> packets ratio >70%, right ? I wondering the root server instance in
> that red region is up or down? if it is still up, the queries can not
> be routed to other server where the the probes shows green. In that
> case the merit of anycast dose not work.
To me, anycast does two things in terms of limiting the impact of an
outage: in the case of a service outage it redirects traffic, but also,
it limits the scope of an attack to a single node or region (or at
least, dramatically raises the bar for a DDoS to cause an outage in
However, if an attack is of sufficient size that it takes down a single
node, moving all of the traffic to another node will probably just take
that node down too, leaving everyone in a worse position.
In the case of root servers, where users will probably just notice a
slowdown as resolvers learn that a particular root server is unhealthy,
it's probably better to just leave one (or even a small number) of root
servers answering only a small percentage of traffic in one region so
that other regions are unaffected.
It also makes me wonder how many large ISPs run their own root servers
(or otherwise have the root zone available to their resolvers), in which
case said providers would be immune to root server attacks -- Assuming
the point was an attack on the root servers themselves, and not a
reflection attack against another target.
More information about the dns-operations