[NLNOG] What if… DNS over TCP?

Mark Schouten mark at tuxis.nl
Wed Feb 7 17:15:15 CET 2018 

Hi Benno,

On woensdag 7 februari 2018 16:53:55 CET Benno Overeinder wrote:
> Question 1: Was the recent DDOS armed by open resolvers allowing for a
> DNS amplification attack?  I didn't heard about the specifics other than
> a botnet, hired for a nominal fee.

I don't know.

> Question 2: Are DNS amplification attacks still an issue?  As far as I
> understand are most name servers equipped with RRL (response rate
> limiting), effectively nullifying (well almost) the spoofed traffic
> reflection.

IMHO RRL is a workaround (which might be pretty effective, but still), not a 
solution. And correctly configured nameserver probably aren't a big issue 
whatsoever. But, by depending on DNS over UDP, we cannot just filter it and let 
people that misconfigure their servers be the victim of their own fault.

> I guess most DNS name servers (authoritative/recursive) do support TCP
> to deal with TC bit (truncated answer) and (should try) TCP fallback.
> Measuring name server TCP capabilities by scanning name servers might be
> quite an effort (i.e. which name server to scan?), but you can also look
> at the different DNS server implementations, e.g. BIND, PowerDNS, Knot
> DNS and NSD/Unbound.  ;-)

I'm scanning as we speak. The script I wrote (which probably contain a few 
bugs, but gives some insight) has scanned 8240 nameservers so far, 495 of 
which did not respond to TCP. Input is a version of the alexa top 1 million 
and a dump of my resolvercaches, of which the nameservers are looked up and 
checked. Newly discovered domains get added to the queue in the process.

> In the past years, we (the open source DNS community) made substantial
> progress with introducing DNS-over-TLS in the different code bases.
> This started in the IETF DPRIVE working group and implementations are
> well on the way.  See for more information https://dnsprivacy.org/wiki/.
> 
> All this DNS-over-TLS work focuses on stub to resolver interactions: the
> easy part wrt scaling (up to 10.000 clients).  The hard part is still
> the authoritatives that see up to millions queries per second.

DNS-over-TLS specifically focus on client-resolver communication. Which is 
nice, but still doesn't allow me to just filter UDP/53 on my edges.

Possibly handling millions of queries over TCP is hard (not an expert on 
that), but I guess we have other services handing lots of requests as well, 
don't we?

-- 
Kerio Operator in de Cloud? https://www.kerioindecloud.nl/
Mark Schouten  | Tuxis Internet Engineering
KvK: 61527076  | http://www.tuxis.nl/
T: 0318 200208 | info at tuxis.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nlnog.net/pipermail/nlnog/attachments/20180207/d697cc44/attachment.sig>

More information about the NLNOG mailing list