On Mon, May 16, 2016 at 09:34:17PM +0000, Wessels, Duane wrote: > I think what you're suggesting has already been proposed. See > https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/ and > https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/
It is in fact something you can do today. Some of the largest PowerDNS Recursor sites in the world run with 'root-nx-trust' enabled: "If set, an NXDOMAIN from the root-servers will serve as a blanket NXDOMAIN for the entire TLD the query belonged to. The effect of this is far fewer queries to the root-servers." This after f-root had enabled RRL slightly too aggressively on some nodes. We just tested this setting against the "owned Ubiquity" attack and after a thousand queries or so traffic to the roots dropped off to almost zero. Bert > > DW > > > > On May 16, 2016, at 2:23 PM, Brian Somers <bsom...@opendns.com> wrote: > > > > Hi folks, > > > > I work at OpenDNS. We saw a DoS attack in Miami on Friday night around > > 10-11:00pm PST, consisting of UDP DNS requests for AAA.BBB.CCC.DDD where > > each of AAA, BBB, CCC and DDD are three digit numbers not greater than 500. > > > > Each query was answered with an NXDOMAIN by the root servers, Although > > our resolvers cached the NXDOMAIN for 1 hour (we cap negative responses at > > 1 hour despite the larger SOA MINIMUM) it was ineffective in reducing the > > load on the root servers as every varying query was another root server > > request. > > > > We eventually blackholed all TLDs from 000 to 500 to stifle the problem > > (locally delegating them to 127.0.0.1 where we don’t listen). > > > > However, during the attack, we also saw a huge number of TCP sockets in > > TIME_WAIT talking to root servers (probably all root servers). I’m curious > > if > > > > 1. Are root servers doing some sort of tar pitting where they send a TC > > and then firewall port 53? > > 2. Has anyone ever considered a better way than responding with NXDOMAIN? > > > > The second is a loaded question, but it occurs to me that a new type of > > negative response to (say) 111.222.333.444/IN/A might be an NXDOMAIN with > > an SOA record (as we do now) but also with an indicator that 444 and below > > are NXDOMAINs. I’m not sure what that might look like, maybe "444/IN/NS .” > > in the AUTHORITY section where “.” is the NS value meaning that 444 is > > actually delegated to nobody. > > > > Thoughts/comments? > > > > — > > Brian > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsop > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop