DNS noise

David Conrad drc at virtualized.org
Fri Apr 6 13:24:18 CDT 2012

On Apr 6, 2012, at 11:13 AM, Jimmy Hess wrote:
>> It turns out that DNSSEC makes a respectable traffic amplification vector:
> This is definitely a problem.

Yep.  So are SNMP reflection attacks (biggest attack I've seen was one of these) and any other datagram-oriented query/response protocol.

> Unfortunately, what really should happen is DNSSEC should be revised, to,
> either make sure that the client initiating the query has to either do more
> work than the server, or make a round trip before the DNSSEC data can
> be requested.

Treating a symptom and ignoring the disease. See http://tools.ietf.org/html/bcp38

> One way of accomplishing that would be to indicate that DNSSEC data
> can be transmitted only over DNS when using TCP;  

I suspect the root server operators might not like this idea very much.


More information about the NANOG mailing list