DNS was Re: Internet Vulnerabilities

Mon Jul 15 15:35:29 UTC 2002

At 9:07 AM +0200 2002/07/15, Måns Nilsson quoted Simon Waters
<Simon at wretched.demon.co.uk> as saying:

>>  I
>>  would guess the "." zone probably isn't that large in absolute
>>  terms, so large ISPs (NANOG members ?) could arrange for their
>>  recursive servers to act as private secondaries of ".", thus
>>  eliminating the dependence on the root servers entirely for a
>>  large chunks of the Internet user base.

	1266 A records
	1243 NS records
	1 SOA record
	1 TXT record

	Currently, B, C, & F are open to zone transfers.

>>  I think the kinds of zones being handled by the gtld-servers
>>  would be harder to relocate, if only due to size, although the
>>  average NANOG reader probably has rather more bandwidth
>>  available than I do, they may not have the right kind of spare
>>  capacity on their DNS servers to secondary ".com" at short
>>  notice.

	Edu is pretty good size:

		17188 NS records
		 5514 A records
		    1 SOA record
		    1 TXT record

	A complete zone transfer comprises some 1016491 bytes.

>>  All I think root server protection requires is someone with
>>  access to the relevant zone to make it available through other
>>  channels to large ISPs. There is no technical reason why key DNS
>>  infrastructure providers could not implement such a scheme on
>>  their own recursive DNS servers now, and it would offer to
>>  reduce load on both their own, and the root DNS servers and
>>  networks.

	I disagree.  This is only going to help those ISPs that are 
clued-in enough to act as a stealth secondary of the zone, and then 
only for those customers that will be using their nameservers as 
caching/recursive servers, or have their own caching/recursive 
servers forward all unknown queries to their ISPs.  I'm sorry, but 
that's a vanishingly small group of people, and will have little or 
no measurable impact.

	Better would be for the root nameservers to do per-IP address 
throttling.  If you send them too many queries in a given period of 
time, they can throw away any excess queries.  This prevents people 
from running tools like queryperf on a constant basis from 
excessively abusing the server.

	Indeed, some root nameservers are already doing per-IP address throttling.

>>  In practical terms I'd be more worried about smaller attacks
>>  against specific CC domains, I could imagine some people seeing
>>  disruption of "il" as a more potent (and perhaps less globally
>>  unpopular) political statement, than disrupting the whole
>>  Internet.

	Keep in mind that some ccTLDs are pretty good size themselves. 
The largest domain I've been able to get a zone transfer of is .tv, 
comprising some 20919120 bytes of data -- 381812 NSes, 72694 A RRs, 
5754 CNAMEs, and 3 MXes.

	Any zone that is served by a system that is both authoritative 
and public caching/recursive is wide-open for cache-poisoning attacks 
-- such as any zone served by nic.lth.se [130.235.20.3].

>>  Similarly an attack on a commercial subdomain in a
>>  specific country could be used to make a political statement,
>>  but might have significant economic consequences for some
>>  companies. Attacking 3 or 4 servers is far easier than attacking
>>  13 geographically diverse, well networked, and well protected
>>  servers.

	Who said that the root nameservers were geographically diverse? 
I don't think the situation has changed much since the list at 
<http://www.icann.org/committees/dns-root/y2k-statement.htm> was 
created.  I don't call this geographically diverse.

>  I definitely agree. ccTLDen are in very varying states of security
>  awareness, and while I believe .il is aware and prepared, other
>  conflict zone domains might not be...

	Except for the performance issues, IMO ccTLDs should be held to 
the same standards of operation as the root nameservers, and thus 
subject to RFC 2010 "Operational Criteria for Root Name Servers" by 
B. Manning, P. Vixie and RFC 2870 "Root Name Server Operational 
Requirements" by R. Bush, D. Karrenberg, M. Kosters, & R. Plzak.

	Those of you who are interested in this topic may want to drop in 
on my invited talk "Domain Name Server Comparison: BIND 8 vs. BIND 9 
vs. djbdns vs. ???" at LISA 2002.  Root & TLD server issues will 
figure heavily in comparison.  ;-)

-- 
Brad Knowles, <brad.knowles at skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.