IETF Logo Mail Archive

Re: [DNSOP] Root server tar pitting? Is there a better way?

bert hubert <bert.hubert@powerdns.com> Mon, 16 May 2016 21:43 UTC

Return-Path: <bert.hubert@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF7DE12D538 for <dnsop@ietfa.amsl.com>; Mon, 16 May 2016 14:43:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.326
X-Spam-Level:
X-Spam-Status: No, score=-3.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LMbBhA60hfdK for <dnsop@ietfa.amsl.com>; Mon, 16 May 2016 14:43:53 -0700 (PDT)
Received: from tmpmail.powerdns.com (tmpmail.powerdns.com [128.199.32.142]) by ietfa.amsl.com (Postfix) with ESMTP id 752AA12B043 for <dnsop@ietf.org>; Mon, 16 May 2016 14:43:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tmpmail.powerdns.com (Postfix) with ESMTP id 7127060095; Mon, 16 May 2016 17:43:52 -0400 (EDT)
Received: from tmpmail.powerdns.com ([127.0.0.1]) by localhost (tmpmail.powerdns.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sHRR-VBdBlcS; Mon, 16 May 2016 17:43:51 -0400 (EDT)
Received: from server.ds9a.nl (unknown [IPv6:2001:470:1f15:bba::42]) by tmpmail.powerdns.com (Postfix) with ESMTP id CE3FA6008A; Mon, 16 May 2016 17:43:51 -0400 (EDT)
Received: by server.ds9a.nl (Postfix, from userid 1000) id 423CFAC1CCB; Mon, 16 May 2016 23:43:51 +0200 (CEST)
Date: Mon, 16 May 2016 23:43:51 +0200
From: bert hubert <bert.hubert@powerdns.com>
To: "Wessels, Duane" <dwessels@verisign.com>
Message-ID: <20160516214351.GH26540@server.ds9a.nl>
References: <44FFEAA9-7579-47E9-A5AF-5C0E1B720634@opendns.com> <29A70833-47CA-4371-8150-9C7AB16A0877@verisign.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <29A70833-47CA-4371-8150-9C7AB16A0877@verisign.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/7S-bm34f89fERLYSJuPwlq3BNZE>
X-Mailman-Approved-At: Tue, 17 May 2016 02:57:41 -0700
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, Brian Somers <bsomers@opendns.com>
Subject: Re: [DNSOP] Root server tar pitting? Is there a better way?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 May 2016 21:43:55 -0000

On Mon, May 16, 2016 at 09:34:17PM +0000, Wessels, Duane wrote:
> I think what you're suggesting has already been proposed.  See https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/ and https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/

It is in fact something you can do today. Some of the largest PowerDNS
Recursor sites in the world run with 'root-nx-trust' enabled:

"If set, an NXDOMAIN from the root-servers will serve as a blanket NXDOMAIN
for the entire TLD the query belonged to. The effect of this is far fewer
queries to the root-servers."

This after f-root had enabled RRL slightly too aggressively on some nodes.

We just tested this setting against the "owned Ubiquity" attack and after a
thousand queries or so traffic to the roots dropped off to almost zero.

	Bert


> 
> DW
> 
> 
> > On May 16, 2016, at 2:23 PM, Brian Somers <bsomers@opendns.com> wrote:
> > 
> > Hi folks,
> > 
> > I work at OpenDNS.  We saw a DoS attack in Miami on Friday night around 10-11:00pm PST, consisting of UDP DNS requests for AAA.BBB.CCC.DDD where each of AAA, BBB, CCC and DDD are three digit numbers not greater than 500.
> > 
> > Each query was answered with an NXDOMAIN by the root servers,   Although our resolvers cached the NXDOMAIN for 1 hour (we cap negative responses at 1 hour despite the larger SOA MINIMUM) it was ineffective in reducing the load on the root servers as every varying query was another root server request.
> > 
> > We eventually blackholed all TLDs from 000 to 500 to stifle the problem (locally delegating them to 127.0.0.1 where we don’t listen).
> > 
> > However, during the attack, we also saw a huge number of TCP sockets in TIME_WAIT talking to root servers (probably all root servers).  I’m curious if
> > 
> > 1.  Are root servers doing some sort of tar pitting where they send a TC and then firewall port 53?
> > 2.  Has anyone ever considered a better way than responding with NXDOMAIN?
> > 
> > The second is a loaded question, but it occurs to me that a new type of negative response to (say) 111.222.333.444/IN/A might be an NXDOMAIN with an SOA record (as we do now) but also with an indicator that 444 and below are NXDOMAINs.  I’m not sure what that might look like, maybe "444/IN/NS .” in the AUTHORITY section where “.” is the NS value meaning that 444 is actually delegated to nobody.
> > 
> > Thoughts/comments?
> > 
> > —
> > Brian
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email