[151969] in North American Network Operators' Group
Re: DNS noise
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Fri Apr 6 14:13:54 2012
In-Reply-To: <4F7F3039.3000604@foobar.org>
Date: Fri, 6 Apr 2012 13:13:22 -0500
From: Jimmy Hess <mysidia@gmail.com>
To: Nick Hilliard <nick@foobar.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, Apr 6, 2012 at 1:04 PM, Nick Hilliard <nick@foobar.org> wrote:
> On 06/04/2012 18:41, Nathan Eisenberg wrote:
>> Anyone else seeing this sort of noise lately?
>
> There has been a bit of that recently for ripe.net and several other well
> known DNSSEC enabled domains (e.g. isc.org).
>
> It turns out that DNSSEC makes a respectable traffic amplification vector:
This is definitely a problem.
Unfortunately, what really should happen is DNSSEC should be revised, to,
either make sure that the client initiating the query has to either do more
work than the server, or make a round trip before the DNSSEC data can
be requested.
One way of accomplishing that would be to indicate that DNSSEC data
can be transmitted only over DNS when using TCP; since a reflection
spoofer cannot complete
a 3-way TCP handshake, the attacker cannot send spoofed requests for DNSSEC
data over TCP.
--
-JH
