On Mon, May 16, 2016 at 09:34:17PM +0000, Wessels, Duane wrote:
> I think what you're suggesting has already been proposed.  See 
> https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/ and 
> https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/

It is in fact something you can do today. Some of the largest PowerDNS
Recursor sites in the world run with 'root-nx-trust' enabled:

"If set, an NXDOMAIN from the root-servers will serve as a blanket NXDOMAIN
for the entire TLD the query belonged to. The effect of this is far fewer
queries to the root-servers."

This after f-root had enabled RRL slightly too aggressively on some nodes.

We just tested this setting against the "owned Ubiquity" attack and after a
thousand queries or so traffic to the roots dropped off to almost zero.

        Bert


> 
> DW
> 
> 
> > On May 16, 2016, at 2:23 PM, Brian Somers <bsom...@opendns.com> wrote:
> > 
> > Hi folks,
> > 
> > I work at OpenDNS.  We saw a DoS attack in Miami on Friday night around 
> > 10-11:00pm PST, consisting of UDP DNS requests for AAA.BBB.CCC.DDD where 
> > each of AAA, BBB, CCC and DDD are three digit numbers not greater than 500.
> > 
> > Each query was answered with an NXDOMAIN by the root servers,   Although 
> > our resolvers cached the NXDOMAIN for 1 hour (we cap negative responses at 
> > 1 hour despite the larger SOA MINIMUM) it was ineffective in reducing the 
> > load on the root servers as every varying query was another root server 
> > request.
> > 
> > We eventually blackholed all TLDs from 000 to 500 to stifle the problem 
> > (locally delegating them to 127.0.0.1 where we don’t listen).
> > 
> > However, during the attack, we also saw a huge number of TCP sockets in 
> > TIME_WAIT talking to root servers (probably all root servers).  I’m curious 
> > if
> > 
> > 1.  Are root servers doing some sort of tar pitting where they send a TC 
> > and then firewall port 53?
> > 2.  Has anyone ever considered a better way than responding with NXDOMAIN?
> > 
> > The second is a loaded question, but it occurs to me that a new type of 
> > negative response to (say) 111.222.333.444/IN/A might be an NXDOMAIN with 
> > an SOA record (as we do now) but also with an indicator that 444 and below 
> > are NXDOMAINs.  I’m not sure what that might look like, maybe "444/IN/NS .” 
> > in the AUTHORITY section where “.” is the NS value meaning that 444 is 
> > actually delegated to nobody.
> > 
> > Thoughts/comments?
> > 
> > —
> > Brian
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to