Re: [DNSOP] New Version Notification for draft-liu-dnsop-dns-cache

[abby pan <abbypan@gmail.com>]

Stephane Bortzmeyer <bortzmeyer@nic.fr>于2016年3月29日周二 下午9:48写道：

> On Mon, Mar 28, 2016 at 05:38:01AM +0000,
>  abby pan <abbypan@gmail.com> wrote
>  a message of 246 lines which said:
>
> > 1) baofeng recursive ddos attack(2009):
> > http://www.pcworld.com/article/165319/article.html
>
> A more technical reference for this attack is the OARC talk
> <https://www.dns-oarc.net/files/workshop-200911/Ziqian_Liu.pdf>
>
> yes, in ziqian_liu's talk , they "Increase the TTL of baofeng.com related
RRs"  on the cache  to rescue


> > 2) baidu dns hijack(2010):
> >
> http://www.zdnet.com/article/baidu-dns-records-hijacked-by-iranian-cyber-army/
>
> This paper says it was purely social engineering on the registrar. No
> change in the DNS would help.
>

if cache can temporary prolong the ttl of baidu ns, that will help.


> > The selection is automatic, commonly TOP-N domain names.
>
> OK, so if I want my own personal vanity domain name to be well cached,
> I just have to hire a botnet to send many requests for bortzmeyer.org.
>
> Also, it seems you mix "important" with "often
> queried". impots.gouv.fr (the tax service) is important in France, if
> you cannot reach it, you'll not be able to pay and you wil be
> fined. But it does not see a lot of requests, typical people use it
> once a year.
>

yes,  simply online TOP-N is easy to around.

But the "hot" domain we can pre-set, as your example, like "*.gov.cn"， “
qq.com",  "baidu.com",  "taobao.com" in china.

We manage the "most important" domain list, not just from dns query count,
but also the service data flow associated with the domain, also from some
company alliance.


> > How long will the SERVFAIL cache last usually depend on ISP network
> > bgp status, especially when recursive send dns query when the ns
> > server is in other ISP.
>
> You mean the name server has to know BGP?
>

I mean if cache server can check the NS BGP status with some addtional
module,  the rtt of dns query will be benefits.

But as Evan Hunt says, that's not "should" , but can be a choice.


>
> > The pre-fetching is something like link-fetching(
> > https://en.wikipedia.org/wiki/Link_prefetching ), shortten the response
> > time.
> > Again, pre-fetching is part of "backup cache" for ddos attack resuce or
> > baidu hijack rescue, etc.
>
> I did not say pre-fetching is bad, I said it does not require any
> change in the DNS server (it can be done from the outside).
>

I did not say that need change in the DNS server's normal task.

but it can be some additonal module to active when encounter ddos or hijack
( outside the normal case ) .


>
> > In "baofeng recursive ddos attack": short domain TTL + ns shutdown +
> > huge amount client fail and retry prolonging the TTL can partly
> > defense the attack.
>
> I did not say increasing the TTL is bad, I said it is a change in the
> protocol and therefore your draft has to declare it updates RFC 1034
> (and 1035).
>

same as above,  it can be some additonal module to active when encounter
ddos or hijack ( outside the normal case ) .

so that's not change in the protocol, not change the normal dns
query/response.

it's actived to  auto defense when huge count to 1s TTL suddenly rise.


>
> > Sometimes recursive receive hijack data (cache-poisoning attack).
> > if there is an security analysis module, users will more benefits.
>
> If it is just asserting the validity of data before returning it to
> the user, what do you need besides the already existing RFC 2181
> (section 5.4.1) and RFC 5452 (specially sections 6 and 9)?
>

again, it is not change the protocol, but some additional module to
validate the data in cache dns operation.

comodo, opendns has give the protect service :
http://www.computerworld.com/article/2872700/6-dns-services-protect-against-malware-and-other-unwanted-content.html

for example, detect hijack phishing ip of xxx.qq.com , help to correct or
block it.
-- 

Best Regards

Pan Lanlan
Tel: +86 186 9834 2356