[dns-operations] Configurable TC=1?

Ralf Weber dns at fl1ger.de
Sun Dec 20 23:16:37 UTC 2015


On 20 Dec 2015, at 23:14, Dave Warren wrote:
> DNS is largely used because of amplification, which is a combined PPS 
> and BPS attack.
DNS still mostly is used a lot for lookup of names and numbers, though 
you could be right that the malicious usage of DNS is greater legitimate 

> Returning TC=1 has the unique advantage of allowing a DNS server to 
> stop responding to the packets at all for a little while until/unless 
> you see a TCP DNS query from the same host (after which point you 
> might start answering UDP again, since you at least know the queries 
> are from a DNS server and not a reflection attack)
That works for this specific attack vector. It doesn't work and we have 
seen that when the actual client for the authoritative server is a 
legitimate resolver, possibly attacked with a random subdomain attack. 
In this case both parties quickly exhaust their TCP resources...

> Also potentially useful (although it would require wide deployment) 
> would be if a victim could send out some sort of "I'm being attacked, 
> stop responding to UDP queries" squelch, and after receiving such a 
> packet, a DNS server would only respond with TC=1 responses, and only 
> a small percentage of them (to ensure that this doesn't create a DoS 
> mechanism), with the victim knowing to use TCP. Since DNS servers 
> would still send periodic TC=1 queries, this would reduce the impact 
> if an attacker sent out spoofed squelch packets since the resolver 
> would quickly receive the TC=1 packets. Sending the same squelch 
> instruction via TCP could allow a victim to indicate an end-of-attack, 
> telling other DNS servers "don't force me to use TC=1 anymore"
Most of this signaling doesn't work in DNS, because of the difficulty on 
getting wide deployment and most signalling also can be abused. In 
response to the random subdomain attacks most DNS software introduced 
outbound rate limiting/throtteling to authoritative servers and that 
seems to work quite well. Granted that doesn't help for spoofed quries, 
but still is cheaper than using TCP.

So long

More information about the dns-operations mailing list