large organization nameservers sending icmp packets to dns servers.

Douglas Otis dotis at
Thu Aug 9 00:22:10 UTC 2007

On Aug 8, 2007, at 12:11 PM, Paul Vixie wrote:

> dotis at (Douglas Otis) writes:
>> Ensuring an authoritative domain name server responds via UDP is a  
>> critical security requirement.  TCP will not create the same risk  
>> of a resolver being poisoned, but a TCP connection will consume a  
>> significant amount of a name server's resources.
> ...but this is flat out wrong, dead wrong, no way to candy coat it,  
> wrong.

Wanting to understand this comment, I'll expand upon the quoted  

Resolver's factors affecting DNS security are:
  - selection of port and transaction IDs
  - restrictions on outstanding queries for same resource
  - limits on inbound bandwidth

Ignoring uncontrollable factors...

Authoritative server factors affecting security are:
  - time frame for an answer
  - duration of RR TTLs
  - number of servers

A short time frame for an answer along with longer TTLs are  
influenced by authoritative servers and also affect spoofing rates.

When DNS TCP is used, the transport sequence number further precludes  
a spoofed TCP answer from being accepted.  When a truncated response  
is returned, TCP fallback may be attempted.  When a TCP ICMP refusal  
is filtered or never sent, but TCP has been blocked, the timeframe  
alloted for spoofing could entail the entire TCP timeout.  However,  
probability for successful spoofing includes an additional multiplier  
of 1 / 2^32.  This reduction should sufficiently negate an additional  
timeout duration.

TCP requires state and introduces several additional exchanges for a  
given number of answers.  Any effort related to poisoning will likely  
attempt to delay an answer by adding to the server's overhead.   
Precluding truncation, and thereby eliminating TCP, should favorably  
reduce server overhead and increase overall performance.

Of course, a more practical method would be to ensure sufficient DNS  
resources are available by increasing server resources.  That said,  
how many domains allocate a couple of prior generation servers for DNS?


More information about the NANOG mailing list