DNS noise

Nick Hilliard nick at foobar.org
Fri Apr 6 18:04:41 UTC 2012


On 06/04/2012 18:41, Nathan Eisenberg wrote:
> Anyone else seeing this sort of noise lately?

There has been a bit of that recently for ripe.net and several other well
known DNSSEC enabled domains (e.g. isc.org).

It turns out that DNSSEC makes a respectable traffic amplification vector:

> twinkie# dig +ignore +notcp any ripe.net | grep rcvd
> ;; MSG SIZE  rcvd: 490
> twinkie#

The dns request packet size was 26 bytes.  Add packet overhead to both the
request and the reply, and you end up with:

request: 26 (data) + 8 (udp) + 20 (ip) + 18 (ethernet frame) + ipg (12) + 8
(preamble) = 92
reply: 490 (data) + 8 (udp) + 20 (ip) + 18 (ethernet frame) + ipg (12) + 8
(preamble) = 556

=> amplification on ethernet medium == 556/92, or slightly more than 6x.

Welcome back to the 1990s.

Nick




More information about the NANOG mailing list