DNS hardening, was Re: Dan Kaminsky

Douglas Otis dotis at mail-abuse.org
Wed Aug 5 13:12:32 CDT 2009

On 8/5/09 9:48 AM, John Levine wrote:
> Other than DNSSEC, I'm aware of these relatively simple hacks to add
> entropy to DNS queries.
> 1) Random query ID
> 2) Random source port
> 3) Random case in queries, e.g. GooGLe.CoM
> 4) Ask twice (with different values for the first three hacks) and
> compare the answers

DNSSEC introduces vulnerabilities, such as reflected attacks and 
fragmentation related exploits that might poison glue, where perhaps 
asking twice might still be needed.

Modern implementations use random 16 bit transaction IDs.  Interposed 
NATs may impair effectiveness of random source ports.  Use of random 
query cases may not offer an entropy increase in some instances.  Asking 
twice, although doubling resource consumption and latency, offers an 
increase in entropy that works best when queried serially.

Establishing SCTP as a preferred DNS transport offers a safe harbor for 
major ISPs.  SCTP protects against both spoofed and reflected attack. 
Use of persistent SCTP associations can provide lower latency than that 
found using TCP fallback, TCP only, or repeated queries.  SCTP also 
better deals with attack related congestion.

Once UDP is impaired by EDNS0 response sizes that exceed reassembly 
resources, or are preemptively dropped as a result, TCP must then 
dramatically scale up to offer the resilience achieved by UDP anycast. 
In this scenario, SCTP offers several benefits.  SCTP retains 
initialization state within cryptographically secured cookies, which 
provides significant protection against spoofed source resource 
exhaustion.  By first exchanging cookies, the network extends server 
state storage.  SCTP also better ensures against cache poisoning whether 
DNSSEC is used or not.

Having major providers support the SCTP option will mitigate disruptions 
caused by DNS DDoS attacks using less resources.  SCTP will also 
encourage use of IPv6, and improve proper SOHO router support.  When 
SCTP becomes used by HTTP, this further enhances DDoS resistance for 
even critical web related services as well.


More information about the NANOG mailing list