[dns-operations] Configurable TC=1?

Jared Mauch jared at puck.nether.net
Tue Dec 22 00:46:43 UTC 2015 

On Tue, Dec 22, 2015 at 11:33:30AM +1100, Mark Andrews wrote:
> 
> In message <20151222002233.GD5821 at puck.nether.net>, Jared Mauch writes:
> > On Tue, Dec 22, 2015 at 09:26:52AM +1100, Mark Andrews wrote:
> > > 
> > > In message <20151221205644.GB5821 at puck.nether.net>, Jared Mauch writes:
> > > > On Sun, Dec 20, 2015 at 03:27:00PM +0100, Ralph Babel wrote:
> > > > > Ralf Weber wrote:
> > > > > 
> > > > > > If we switch DNS to TCP there will be a huge cost
> > > > > > in implementing this, as TCP just doesn't scale
> > > > > > the way UDP does
> > > > > 
> > > > > True; so is there a nameserver implementation that
> > > > > allows me to respond with a minimal TC=1 packet if ...
> > > > > 
> > > > >   sizeof(UDP-response) > sizeof(UDP-query) * x + y
> > > > > 
> > > > > ..., x and y being fully configurable, preferably
> > > > > on a per-address-range basis, maybe even dependent
> > > > > upon the query type?
> > > > > 
> > > > > (not so much related to the "Storm on the DNS"
> > > > > issue but to DNS amplification attacks)
> > > > 
> > > > 	RRL is closer to the 'right' solution, but
> > > > you could likely do something in this part of the BIND
> > > > codebase:
> > > > 
> > > > http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch
> > > > 
> > > > 	- Jared
> > > 
> > > One thing one can do is to get cookies deployed as soon as possible.
> > > We have the code points and we have implementations so there is no
> > > reason not to deploy cookies.  That way servers can identify
> > > legitimate traffic from repeat client.  If we can get a big enough
> > > base one could even return REFUSED to non cookie clients.
> > 
> > 	This can already be done by keeping a hash or hot cache of
> > clients that passed a prior TCP 3-way test.
> 
> Not when their addresses are being spoofed.

	This case is uncommon as the query source is often !=
front side IP, but I had this same debate several years
ago when RRL was originally developed.  The value of reducing the
reflection was similarly not seen by others for an absolutist solution.

	Thankfully most attacks are not against DNS servers but against
other devices where there would never be a 3-way handshake on tcp/53.

	You'd be amazed at how much garbage UDP traffic is out there.

> > > A BADCOOKIE response is about the same size as TC=1 response and
> > > doesn't result in TCP state being used for subsequent requests.
> > 
> > 	Yes, but keeps similar amount of memory state as nicely
> > organized arrays of inet6/inet ranges involved in queries.
> 
> The server keeps no state.  The client keeps the state (includes
> recursive server for authoritative servers).

It doesn't come at zero cost.  Thankfully memory and disk are cheap
(and fast with SSD these days).

> > > We already have some servers generating server cookies (search for
> > > cookie).  We need more.
> > > 
> > > https://ednscomp.isc.org/compliance/summary.html

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the dns-operations mailing list