On Thu, 21 Jul 2016, Mukund Sivaraman wrote:
On Thu, Jul 21, 2016 at 11:10:10AM -0400, Paul Wouters wrote:
And I have been wondering if we should allow for a DNS padding in the
query packet to ensure answer packets (over UDP) are going to be
smaller then the query packet. And therefore prevents DDOS
amplification.
This has been mentioned before. Some thoughts:
For DNS, this can affect some cases such as query packets not making it
to the server due to size, lack of ability of the client to guess what
the answer's message size may be, and also EDNS UDP payload size
behavior.
We only need to make it less attractive, we don't have to guarantee the
question is larger. Just close the gap between question and answer.
So doing a 1200 byte dns query packet could be safe?
Once a client cookie has been established (associated with a source IP
address), there's no need to use padding, so perhaps this could be a
step in the initial handshake when the cookie is established - there
could be message size limits to these cookie-establishment query and
reply.
That's very true, but it requires we have a lot more clients supporting
COOKIEs before we can punish those small questions that don't. Which I
guess applies to the padding question too, so yeah I guess my idea is
not enough too late and we should just deploy cookies.
DJB's curveCP comes to mind about how it prevents amplification for the
initial handshake.
some googling only finds marketing material, not a specification I can
read :P
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
