[49980] in North American Network Operators' Group
Re: DNS was Re: Internet Vulnerabilities
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?M=E5ns_Nilsson?=)
Mon Jul 15 03:08:55 2002
Date: Mon, 15 Jul 2002 09:07:41 +0200
From: =?ISO-8859-1?Q?M=E5ns_Nilsson?= <mansaxel@sunet.se>
To: Nanog Mailing List <nanog@merit.edu>
In-Reply-To: <3D25CE50.CD6B61CF@wretched.demon.co.uk>
Errors-To: owner-nanog-outgoing@merit.edu
--On Friday, July 05, 2002 17:50:24 +0100 Simon Waters
<Simon@wretched.demon.co.uk> wrote:
> I
> would guess the "." zone probably isn't that large in absolute
> terms, so large ISPs (NANOG members ?) could arrange for their
> recursive servers to act as private secondaries of ".", thus
> eliminating the dependence on the root servers entirely for a
> large chunks of the Internet user base.
-rw-r--r-- 1 9998 213 14102 Jul 14 19:56 root.zone.gz
-rw-r--r-- 1 9998 213 75 Jul 14 20:41 root.zone.gz.md5
-rw-r--r-- 1 9998 213 72 Jul 14 20:42 root.zone.gz.sig
> I think the kinds of zones being handled by the gtld-servers
> would be harder to relocate, if only due to size, although the
> average NANOG reader probably has rather more bandwidth
> available than I do, they may not have the right kind of spare
> capacity on their DNS servers to secondary ".com" at short
> notice.
Exactly. The .com zone is large. I doubt that the average NANOG=20
reader has a 16GB RAM machine idling just in case some kiddie=20
wants to DoS Verisign.=20
> All I think root server protection requires is someone with
> access to the relevant zone to make it available through other
> channels to large ISPs. There is no technical reason why key DNS
> infrastructure providers could not implement such a scheme on
> their own recursive DNS servers now, and it would offer to
> reduce load on both their own, and the root DNS servers and
> networks.
Network load is hardly the problem, except in very starved cases;=20
a big well-used server will perhaps fill a T-1 or two.=20
> The single limiting factor on implementing such an approach
> would be DNS know-how, as whilst it is probably a two line
> change for most DNS servers to forward to their ISPs DNS server
> (or zone transfer "."), many sites probably lack the inhouse
> skills to make that change at short notice.
This is the problem with "clever tricks"; they can be implemented
by people who are "in the loop", but most others will not make it=20
work.=20
> In practical terms I'd be more worried about smaller attacks
> against specific CC domains, I could imagine some people seeing
> disruption of "il" as a more potent (and perhaps less globally
> unpopular) political statement, than disrupting the whole
> Internet. Similarly an attack on a commercial subdomain in a
> specific country could be used to make a political statement,
> but might have significant economic consequences for some
> companies. Attacking 3 or 4 servers is far easier than attacking
> 13 geographically diverse, well networked, and well protected
> servers.
>=20
> Similarly I think many CC domains, and country based SLD are far
> more "hackable" than many people realised due to the extensive
> use of out of bailiwick data, as described by DJB. At some point
> the script kiddies will realise they can "own" a country or two
> instead of one website, by hacking one DNS server, and the less
> well secured DNS servers will all go in a week or two.
I definitely agree. ccTLDen are in very varying states of security=20
awareness, and while I believe .il is aware and prepared, other=20
conflict zone domains might not be...=20
--=20
M=E5ns Nilsson Systems Specialist
+46 70 681 7204 KTHNOC MN1334-RIPE
We're sysadmins. To us, data is a protocol-overhead.
