[dns-operations] DNS at FOSDEM 2016

Ralf Weber dns at fl1ger.de
Wed Feb 3 18:11:34 UTC 2016 

Moin!

On 3 Feb 2016, at 15:27, sthaug at nethelp.no wrote:

>> DNS requests and HTTP request are two totally different beasts wrt
>> scaling, operation and cost. Also the current authoritative
>> infrastructure we have today would not scale to resolvers on all
>> clients.
>
> I don't believe there is agreement about the your last sentence here.
I think we can agree to disagree.

> Personally I think the authoritative server infrastructure would
> handle this just fine - but I shudder to think about the increase in
> DNS-based reflection/amplification DDoS attack traffic which would be
> expected given a several order of magnitude increase in the number of
> resolvers.
Even normal traffic would increase way beyond what a lot of the 
authoritative hosts are capable of at the moment. An CEO of a large 
registrar that had a way underprovisoned DNS setup for normal traffic 
once at ICANN said to me that he is in the domain business and not the 
DNS business (he didn't know who Paul Mockapetris was either).

Also random subdomain attacks (or waterfall attacks as they call them in 
Asia) are still very effective to take out domains using ISP resolvers 
to kill the authoritative servers. If the authoritative server were well 
or better scaled then the http server the attacker would be using 
something else or?

ISP resolvers these days run with cache hit rates way greater than 90%, 
so even if you take that number it would be 10x increase of traffic you 
count it that way, but when you look deeper the increase would be even 
more. I just did a quick count for www.amazon.com on an ISP dataset I am 
working on at the moment. In 10 minutes clients (and these will be 
future resolvers if we think that to the end) asked 151657 times for 
this domain yet only 385 queries for this name where send to the 
authoritative servers and that doesn't include delegations and side 
lookups. This is a 400x increase and while Amazon and maybe some other 
big players might be able to handle that it will it needs a significant 
upgrade in machinery for that, especially at the low end or long tail of 
the domain/DNS market.

And when you think about going to TCP that at least is another 10 times 
increase, according to all the measurements I know so far.

Granted my view might be biased as I work for a software vendor that 
does sell large recursive resolvers to ISPs and Telcos, but it's also 
based at looking at a lot of DNS data and dealing with analysing these 
DNS attacks.

The DNS Caching architecture as we have it currently still provides lots 
of benefits leave alone the possibilities you have there to protect 
users and authoritative servers from attacks. There also is a privacy 
issue when you ask the authoritative server unencrypted directly from 
the end device, and if you then add encryption that is yet another 
increase in the infrastructure someone has to do.

So long
-Ralf

More information about the dns-operations mailing list