[dns-operations] Configurable TC=1?

Paul Vixie paul at redbarn.org
Mon Dec 21 22:36:26 UTC 2015


On Monday, December 21, 2015 03:56:44 PM Jared Mauch wrote:
> 
> 	RRL is closer to the 'right' solution, but
> you could likely do something in this part of the BIND
> codebase:
> 
> http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch
> 

when planning defense, it's best to think at least one step ahead. so, before you invest in a 
point solution such as redirecting qtype=ANY to TCP, i suggest figuring out what the bad guys 
will do as their response. if what they can do is cheap for them and expensive for you, then it 
may be a fool's errand to invest in that point solution.

the TXT response for nether.net is 306 octets. that's 5X amplification factor (BPS), which is 
relatively common since there is an SPF RR there. qtype=ANY is not required for a successful 
amplification attack against that authority server, so if it stops working, i would expect the 
bad guys to simply "adapt".

adapting to DNS RRL is not impossible, but it is at least marginally harder than switching to a 
non-DNS attack vector, so, it's good enough for now while we figure out the right way to 
incentivize more BCP38 deployment.

-- 
P Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151221/e3a8b4fc/attachment.html>


More information about the dns-operations mailing list