[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)

Jared Mauch jared at puck.nether.net
Mon Oct 24 18:08:00 UTC 2016


On Mon, Oct 24, 2016 at 10:55:21PM +0530, Mukund Sivaraman wrote:
> Hi Jared
> 
> On Mon, Oct 24, 2016 at 12:29:24PM -0400, Jared Mauch wrote:
> > 
> > > On Oct 24, 2016, at 12:23 PM, Mukund Sivaraman <muks at isc.org> wrote:
> > > 
> > > This will not minimize the number of fetches directed at
> > > an authoritative server.
> > 
> > I’m not certain of this, eg: bind has limits on fetches per NS, so
> > it’s not like 1000 clients asking for the same QNAME would result in a
> > 1K QPS load on the back-side, but these synthesized responses would
> > certainly increase the stub -> recursive query volume assuming they
> > honor the TTL=0.
> 
> In BIND resolver, for an outstanding question that's already being asked
> to an authoritative server, no further fetches will be sent for
> it. That's even without the fetches-per-server stuff. Even without any
> serving of stale answers, if a resolver gets 1000 client queries for a
> name in a sequence and there's no non-expired answer in cache, it will
> send 1 fetch to a remote NS and while that is outstanding, join the rest
> of the queries with the first.

	Thanks for that clarification.

	I'm wondering if anyone else implements the TTL=0 behavior so we
can investigate that to keep end-customer impacting issues to a minimum.

	I don't want to serve up invalid data, but keeping last known
with TTL=0 seems a fair response given enough resources to not have
that answer expired or invalidated with alternate data.

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.



More information about the dns-operations mailing list