[dns-operations] Configurable TC=1?
Paul Vixie
vixie at tisf.net
Mon Dec 21 21:58:03 UTC 2015
On Monday, December 21, 2015 03:56:44 PM Jared Mauch wrote:
>
> RRL is closer to the 'right' solution, but
> you could likely do something in this part of the BIND
> codebase:
>
> http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch
>
when planning defense, it's best to think at least one step ahead. so, before you invest in a
point solution such as redirecting qtype=ANY to TCP, i suggest figuring out what the bad guys
will do as their response. if what they can do is cheap for them and expensive for you, then it
may be a fool's errand to invest in that point solution.
the TXT response for nether.net is 306 octets. that's 5X amplification factor (BPS), which is
relatively common since there is an SPF RR there. qtype=ANY is not required for a successful
amplification attack against that authority server, so if it stops working, i would expect the
bad guys to simply "adapt".
adapting to DNS RRL is not impossible, but it is at least marginally harder than switching to a
non-DNS attack vector, so, it's good enough for now while we figure out the right way to
incentivize more BCP38 deployment.
--
P. Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151221/73b94a17/attachment-0001.html>
More information about the dns-operations
mailing list