Re: [dns-operations] rate-limiting state

2014-02-06 Thread Patrick W. Gilmore
On Feb 06, 2014, at 18:59 , Colm MacCárthaigh wrote: > On Thu, Feb 6, 2014 at 3:28 PM, Paul Vixie wrote: >> second, RRL does not see SYNs. the kernel probably has SYN flood protection, >> which like a stateful firewall might penalize a host or netblock's real >> SYNs, but that has nothing to d

Re: [dns-operations] rate-limiting state

2014-02-07 Thread Patrick W. Gilmore
On Feb 07, 2014, at 07:09 , Tony Finch wrote: > Colm MacCárthaigh wrote: >> I don't see anyone disputing my example, and I'm not calling out RRLs >> ability to dampen a reflection attack. I'm saying that RRL can be used to >> counter-attack your users. Let's say a busy website gets 1,000 QPS of

Re: [dns-operations] rate-limiting state

2014-02-07 Thread Patrick W. Gilmore
On Feb 7, 2014, at 9:16, Tony Finch wrote: > Patrick W. Gilmore wrote: >>> On Feb 07, 2014, at 07:09 , Tony Finch wrote: >>> >>> If my busy name server is getting 1000 qps of real traffic from all over >>> the net, and 1000 qps of attack traffic "fr

Re: [dns-operations] rate-limiting state

2014-02-07 Thread Patrick W. Gilmore
On Feb 7, 2014, at 9:56, Tony Finch wrote: > David C Lawrence wrote: >> >> Maybe Patrick glossed over the mere "1000 qps", which for many (most? >> hand-waving) operators doesn't even blip as an attack. At the >> attack-level traffic to which he is accustomed, the inbound requests >> can easily

Re: [dns-operations] AAAA record for c.root-servers.net

2014-03-31 Thread Patrick W. Gilmore
On Mar 31, 2014, at 20:23 , Jared Mauch wrote: > On Mar 31, 2014, at 5:08 PM, Mark Andrews wrote: >>> Yes. >>> >>> I posted the output for networks which cannot reach >>> c.root-servers.net over IPv6. >> >> Basically anyone using Hurricane Electric. > > This is well known that Cogent (nee c.

Re: [dns-operations] dns-operations@lists.dns-oarc.net

2012-05-09 Thread Patrick W. Gilmore
If you are looking for DDoS resilience, the answer is not "X times normal". A DDoS is not a multiple of your normal traffic, it is whatever the botnet can throw at you. This is obviously different for everyone. If you are a small provider with a couple GigEs of transit, then having capacity f

Re: [dns-operations] dns-operations@lists.dns-oarc.net

2012-05-09 Thread Patrick W. Gilmore
On May 9, 2012, at 10:56 , Chris Adams wrote: > Once upon a time, Patrick W. Gilmore said: >> If you are looking for DDoS resilience, the answer is not "X times normal". >> A DDoS is not a multiple of your normal traffic, it is whatever the botnet >> can throw

Re: [dns-operations] The (very) uneven distribution of DNS root servers on the Internet

2012-05-15 Thread Patrick W. Gilmore
On May 15, 2012, at 11:00 , Suzanne Woolf wrote: > On Tue, May 15, 2012 at 09:46:36AM +0100, Jim Reid wrote: >> On 15 May 2012, at 08:23, Stephane Bortzmeyer wrote: >> >>> http://royal.pingdom.com/2012/05/07/the-very-uneven-distribution-of-dns-root-servers-on-the-internet/ >>> >>> Technically ver

Re: [dns-operations] The (very) uneven distribution of DNS root servers on the Internet

2012-05-15 Thread Patrick W. Gilmore
> I think a much better metric, but one that would be impossibly difficult to > pin down or get data for, would be looking at the average number of hops > between ISPs caching servers and their closest root server. Hops are irrelevant. Latency, packetloss, throughput (some people call all thre

Re: [dns-operations] The (very) uneven distribution of DNS root servers on the Internet

2012-05-16 Thread Patrick W. Gilmore
On May 16, 2012, at 18:45 , Randy Bush wrote: >>> One could logically assume that if a caching server is within a >>> certain radius of a node geographically, they are likely able to >>> route to it (country boundaries/geography may change this, but I did >>> say roughly). >> >> This assumption i

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

2012-06-10 Thread Patrick W. Gilmore
Composed on a virtual keyboard, please forgive typos. On Jun 10, 2012, at 5:36, "Dobbins, Roland" wrote: > On Jun 10, 2012, at 6:25 PM, DTNX Postmaster wrote: > >> A single ANY query for a domain gives you the NS, MX, TXT and SPF records, >> plus any A/ record present. At scale, who knows,

Re: [dns-operations] question for DNS being attacked

2012-06-28 Thread Patrick W. Gilmore
On Jun 28, 2012, at 15:10 , Michael Graff wrote: > "BCP 38" Enough said. Unfortunately, it clearly is not. Plus I've been saying it for many years, and hearing people say thing like "no one spoofs sources any more, since botnets are so easy & cheap". -- TTFN, patrick ___

Re: [dns-operations] Google Public DNS and round robin records

2012-07-22 Thread Patrick W. Gilmore
On Jul 22, 2012, at 13:07 , Paul Vixie wrote: > On 2012-07-22 5:03 PM, Mark Jeftovic wrote: >> Yes you can run your own resolvers where you can better control all this >> stuff, but often times you cannot control that your remote clients actually >> use it ( most people probably have no idea wh

Re: [dns-operations] DNS in iPhone 5

2012-10-02 Thread Patrick W. Gilmore
On Oct 02, 2012, at 05:29 , Ralf Weber wrote: > On 02.10.2012, at 10:58, Patrik Wallström wrote: > >> I am not convinced by their conclusion. Has anybody here any clue what is >> going on? Is it related to their attempt at doing something with DNSSEC? > I guess it's more related to IPv6 as it

Re: [dns-operations] Apple and bogusapple.com

2012-10-02 Thread Patrick W. Gilmore
On Oct 02, 2012, at 05:29 , Stephane Bortzmeyer wrote: > A big fail, I'm afraid. Apple's software tried to contact > bogusapple.com (presumably to have a "known to failed" test) but > someone registered the domain yesterday : > > https://discussions.apple.com/thread/4380270?tstart=0 Saw that ye

Re: [dns-operations] How to get the anycast networks?

2012-10-14 Thread Patrick W. Gilmore
On Oct 13, 2012, at 05:51 , pangj wrote: >> An anycasted DNS only helps, if your 'other infrastructure', e.g. your >> webservers, are also setup 'around the world' to keep the distance low. >> >> What problems do you think anycast will solve? > > We are a small CDN company so we want the anycas

Re: [dns-operations] How to get the anycast networks?

2012-10-14 Thread Patrick W. Gilmore
On Oct 13, 2012, at 05:51 , pangj wrote: >> An anycasted DNS only helps, if your 'other infrastructure', e.g. your >> webservers, are also setup 'around the world' to keep the distance low. >> >> What problems do you think anycast will solve? > > We are a small CDN company so we want the anycas

Re: [dns-operations] anycasting for fun and profit

2012-10-16 Thread Patrick W. Gilmore
On Oct 16, 2012, at 08:33 , paul vixie wrote: > dns anycasting can also be done solely with provider-assigned space and > no ASN of your own. for ISC we have three anycast clouds, one for f-root > which has its own prefix and its own ASN, one for our public benefit > secondary service which has i

Re: [dns-operations] Force TCP for external quereis to Open Resolvers?

2013-03-31 Thread Patrick W. Gilmore
On Mar 31, 2013, at 08:32 , Jim Reid wrote: > On 31 Mar 2013, at 10:30, Xun Fan wrote: >> So do you think "force TCP for external queries to OR" is a feasible >> solution to DNS reflect amplification problem? > > It's a nice idea that's worth trying. > > I'm not sure it will make a difference

Re: [dns-operations] Force TCP for external quereis to Open Resolvers?

2013-03-31 Thread Patrick W. Gilmore
On Mar 31, 2013, at 10:22 , Jim Reid wrote: > On 31 Mar 2013, at 14:36, "Patrick W. Gilmore" wrote: >> CloudFlare, CacheFly, and a few other CDNs who anycast web server addresses >> would probably disagree. > > Yeah. We both know we have had those discussions b