IETF Logo Mail Archive

Re: [DNSOP] Root server tar pitting? Is there a better way?

Marek Vavruša <mvavrusa@cloudflare.com> Mon, 16 May 2016 21:40 UTC

Return-Path: <mvavrusa@cloudflare.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C60512DAD0 for <dnsop@ietfa.amsl.com>; Mon, 16 May 2016 14:40:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id voVFCK3IIPe0 for <dnsop@ietfa.amsl.com>; Mon, 16 May 2016 14:40:51 -0700 (PDT)
Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEB2012D162 for <dnsop@ietf.org>; Mon, 16 May 2016 14:40:50 -0700 (PDT)
Received: by mail-yw0-x233.google.com with SMTP id j74so175534407ywg.1 for <dnsop@ietf.org>; Mon, 16 May 2016 14:40:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-transfer-encoding; bh=TFZGn/5QdIIo3l/Osq2ugX2SrSSf+SF915Xgdh7pFsI=; b=kISfCyyAPOuNi3qkKKBWf5UlwtDYVXjScZ/tQ4u77C55aVvR+iZis0K0UMU0m0bHvb F5STX3PSDJL+KjULHNNi1g8guAek659IdwghMCyVBw4q+NGpNdJDB1zZqwX5Fgah8byH OLhJWEzsInY6dYDhMkzQcoI647sr8KqfQFiC8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-transfer-encoding; bh=TFZGn/5QdIIo3l/Osq2ugX2SrSSf+SF915Xgdh7pFsI=; b=ZJ7y6+4w+4mqHtXm7cDOx2A4qpnn8lcBmHKUkvlF/RSzEG8OKQEp4Bf37Ur1IJnRvZ TyffNCfhgp+A6sYH7aQBiiH7NHcFy+6mZd9YyhOU8XGHm/SDXaG1mAlc2SOdw/sKIQJe B73jXpp5KXKtYyEpErCwDyQ3cQp6DkgNeVW1UtAJ07xjxFJx3k1AlHhF8+AkTfZRPoKF d8IBwDpkrBrPK3IUbZxz0jiRwWeDCilGVflNTdDDrUCJgLNg5hj5671D19PLFbR5UbNg 5cskc51bu0ZRXWwys2SmFDuLIiV1iZF/jGtbC5/mE9rVri+L+0ImWenNhY9TRWBr3fuu EVxw==
X-Gm-Message-State: AOPr4FUzif7HOVBd38XgTef/noyWie0pCDlVm/mWi4nuE5e6jjuS1ZF//acKZ0XEH9E4N2FwHRjrE70oC91Q6J9O
MIME-Version: 1.0
X-Received: by 10.37.15.10 with SMTP id 10mr11884373ybp.51.1463434850058; Mon, 16 May 2016 14:40:50 -0700 (PDT)
Received: by 10.37.8.202 with HTTP; Mon, 16 May 2016 14:40:49 -0700 (PDT)
In-Reply-To: <29A70833-47CA-4371-8150-9C7AB16A0877@verisign.com>
References: <44FFEAA9-7579-47E9-A5AF-5C0E1B720634@opendns.com> <29A70833-47CA-4371-8150-9C7AB16A0877@verisign.com>
Date: Mon, 16 May 2016 14:40:49 -0700
Message-ID: <CAC=TB12LBJ_=4nwPoAPxjLmUJKZZXaRd1NYZGT2GOwCTzs1=9w@mail.gmail.com>
From: Marek Vavruša <mvavrusa@cloudflare.com>
To: Brian Somers <bsomers@opendns.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/pGyc20YEhH69e16K4k9pgh9Hygg>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, "Wessels, Duane" <dwessels@verisign.com>
Subject: Re: [DNSOP] Root server tar pitting? Is there a better way?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 May 2016 21:40:52 -0000

Why not run a local copy of the root? It should be a good practice for
large recursives, plus you get better latency.

Marek

On Mon, May 16, 2016 at 2:34 PM, Wessels, Duane <dwessels@verisign.com> wrote:
> Hi Brian,
>
> I think what you're suggesting has already been proposed.  See https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/ and https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/
>
> DW
>
>
>> On May 16, 2016, at 2:23 PM, Brian Somers <bsomers@opendns.com> wrote:
>>
>> Hi folks,
>>
>> I work at OpenDNS.  We saw a DoS attack in Miami on Friday night around 10-11:00pm PST, consisting of UDP DNS requests for AAA.BBB.CCC.DDD where each of AAA, BBB, CCC and DDD are three digit numbers not greater than 500.
>>
>> Each query was answered with an NXDOMAIN by the root servers,   Although our resolvers cached the NXDOMAIN for 1 hour (we cap negative responses at 1 hour despite the larger SOA MINIMUM) it was ineffective in reducing the load on the root servers as every varying query was another root server request.
>>
>> We eventually blackholed all TLDs from 000 to 500 to stifle the problem (locally delegating them to 127.0.0.1 where we don’t listen).
>>
>> However, during the attack, we also saw a huge number of TCP sockets in TIME_WAIT talking to root servers (probably all root servers).  I’m curious if
>>
>> 1.  Are root servers doing some sort of tar pitting where they send a TC and then firewall port 53?
>> 2.  Has anyone ever considered a better way than responding with NXDOMAIN?
>>
>> The second is a loaded question, but it occurs to me that a new type of negative response to (say) 111.222.333.444/IN/A might be an NXDOMAIN with an SOA record (as we do now) but also with an indicator that 444 and below are NXDOMAINs.  I’m not sure what that might look like, maybe "444/IN/NS .” in the AUTHORITY section where “.” is the NS value meaning that 444 is actually delegated to nobody.
>>
>> Thoughts/comments?
>>
>> —
>> Brian
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email