[98458] in North American Network Operators' Group
Re: large organization nameservers sending icmp packets to dns servers.
daemon@ATHENA.MIT.EDU (Douglas Otis)
Wed Aug 8 20:23:19 2007
In-Reply-To: <g3k5s5g7t7.fsf@sa.vix.com>
Cc: nanog@merit.edu
From: Douglas Otis <dotis@mail-abuse.org>
Date: Wed, 8 Aug 2007 17:22:10 -0700
To: Paul Vixie <vixie@vix.com>
Errors-To: owner-nanog@merit.edu
On Aug 8, 2007, at 12:11 PM, Paul Vixie wrote:
> dotis@mail-abuse.org (Douglas Otis) writes:
>> Ensuring an authoritative domain name server responds via UDP is a
>> critical security requirement. TCP will not create the same risk
>> of a resolver being poisoned, but a TCP connection will consume a
>> significant amount of a name server's resources.
>
> ...but this is flat out wrong, dead wrong, no way to candy coat it,
> wrong.
Wanting to understand this comment, I'll expand upon the quoted
statement.
Resolver's factors affecting DNS security are:
- selection of port and transaction IDs
- restrictions on outstanding queries for same resource
- limits on inbound bandwidth
Ignoring uncontrollable factors...
Authoritative server factors affecting security are:
- time frame for an answer
- duration of RR TTLs
- number of servers
A short time frame for an answer along with longer TTLs are
influenced by authoritative servers and also affect spoofing rates.
When DNS TCP is used, the transport sequence number further precludes
a spoofed TCP answer from being accepted. When a truncated response
is returned, TCP fallback may be attempted. When a TCP ICMP refusal
is filtered or never sent, but TCP has been blocked, the timeframe
alloted for spoofing could entail the entire TCP timeout. However,
probability for successful spoofing includes an additional multiplier
of 1 / 2^32. This reduction should sufficiently negate an additional
timeout duration.
TCP requires state and introduces several additional exchanges for a
given number of answers. Any effort related to poisoning will likely
attempt to delay an answer by adding to the server's overhead.
Precluding truncation, and thereby eliminating TCP, should favorably
reduce server overhead and increase overall performance.
Of course, a more practical method would be to ensure sufficient DNS
resources are available by increasing server resources. That said,
how many domains allocate a couple of prior generation servers for DNS?
-Doug
