[dns-operations] solutions for DDoS mitigation of DNS

Fred Morris m3047 at m3047.net
Fri Apr 3 00:51:50 UTC 2020


Yes, although if you don't believe us maybe you're looking in the wrong 
place....

On Thu, 3 Apr 2020, John Levine wrote:
> In article <c3569cd8-ca3e-5557-0ad9-1141ef4fd9b0 at plum.ovh>,
> Tessa Plum <tessa at plum.ovh> wrote:
>> University has generally some private research projects who have their
>> domain names, but university won't let others see these domain names
>> unless the projects have got public.
>
> If those names are ever retrieved by users on networks outside your
> university, it's very likely that they're in public passive DNS
> databases that are widely visible.  It is not realistic to believe
> that you can put names in your public DNS and not have the world
> know about them.

There is this thing called a "search list". Love 'em or hate 'em (kind of 
like DNAMEs!).

Suppose your (ab)user is in a coffee shop (wearing appropriate hazmat gear 
of course). They load their web browser. It's visited 
secret-project.university-example.edu previously. Being extremely helpful, 
the browser tries to prefetch the address for 
secret-project.university-example.edu. When that doesn't work, it then 
tries secret-project.university-example.edu.coffeeshop-example.com. And so 
on, and so forth. (*cough* .cisco *cough* .belkin... no it's not COVID, I 
seem to have some DNS caught in my throat...)

--

Fred Morris




More information about the dns-operations mailing list