DNS problems to RoadRunner - tcp vs udp

Scott McGrath mcgrath at fas.harvard.edu
Sat Jun 14 16:18:38 CDT 2008


There is no call for insults on this list - Rather thought this list was 
about techincal discussions affecting all of us and keeping DNS alive 
for the majority of our customers certainly qualifies.

We/I am more than aware of the DNS mechanisms and WHY there are there 
trouble is NO DNS server can handle directed TCP attacks even the root 
servers crumbled under directed botnet activity and we have taken the 
decision to accept some collateral damage in order to keep services 
available.     We are a well connected university network with 
multi-gigabit ingress and egress with 10G on Abilene  so we try to 
protect the internet from attacks originating within our borders AND we 
really feel the full wrath of botnets as we do not have a relatively 
slow WAN link to buffer the effects.

Yes - we are blocking TCP too many problems with drone armies and we 
started about a year ago when our DNS servers became unresponsive for no 
apparent reason.   Investigation showed TCP flows of hundreds of 
megabits/sec and connection table overflows from tens of thousands of 
bots all trying to simultaneously do zone transfers and failing tried 
active denial systems and shunning with limited effectiveness.

We are well aware of the host based mechanisms to control zone 
information,  Trouble is with TCP if you can open the connection you can 
DoS so we don't allow the connection to be opened and this is enforced 
at the network level where we can drop at wire speed.     Open to better 
ideas but if you look at the domain in my email address you will see we 
are a target for hostile activity just so someone can 'make their bones'.

Also recall we have a comittment to openess so we would like to make TCP 
services available but until we have effective DNS DoS mitigation which 
can work with 10Gb links It's not going to happen. 

- Scott

Jeroen Massar wrote:
> Scott McGrath wrote:
> [..]
>> For a long time there has been a effective practice of
>>
>> UDP == resolution requests
>> TCP == zone transfers
>
> WRONG. TCP is there as a fallback when the answer of the question is 
> too large. Zone transfer you can limit in your software. If you can't 
> configure your dns servers properly then don't run DNS.
> Also note that botnets have much more effective ways of taking you out.
>
> And sometimes domains actually require TCP because there are too many 
> records for a label eg http://stupid.domain.name/node/651
> If you are thus blocking TCP for DNS resolution you suddenly where 
> blocking google and thus for some people "The Internet".
>
> Also see:
> http://homepages.tesco.net/J.deBoynePollard/FGA/dns-edns0-and-firewalls.html 
>
>
> (Which was the second hit for google(EDNS0) after a link to RFC2671)
>
> Greets,
>  Jeroen
>





More information about the NANOG mailing list