Re: BIND9 negative cache after timeout.

On Thu, Jul 03, 2003 at 09:47:21AM +1000, Mark_Andrews@isc.org wrote:
>
> > I won't give an answer there because I have another related question:
> >
> > Yes sometimes my DNS server receives queries for a A record which I am not
> > authoritative for... So as the query is recursive (and I allow recursion)
> > I'm eventually talking to the authoritative server for that domain name...
> > But that server times out...
> >
> > The question is: will my DNS server 'negatively cache' this hostname ? or
> > will it try to do the recursive job all over again ?
> >
> > If the last assumptions is the right one then this can be an easy way to do
> > Denial-of-service:
> >
> > as a hac|<er:
> > * you register bad-domain.com and delegate it to a server and
> > * you make sure any query times out...
> > * you flood the victim with such recursive queries...
> > * As it takes quite a while to resolve, you will easily and rapidly fill up
> > the "recursive client" quota... and here we go !
>
> And it is also a easy one to prevent. Don't have a wide
> open caching server. Apply anti-spoofing filters at the
> IP level.

It helps somewhat, but that's not preventing the problem.
You don't need a wide open resolver to get this. Enough
customers that use the resolver are enough to hit this often
enough too.

> Given the failure modes of nameservers you can't just say
> because a nameserver failed to repond to a particular query
> that it will also fail to respond to another query. There
> are an effectively infinite number of ways to generate new
> queries that would defeat any negative cache you might have.

No, you can't say that. But what you can say is that broken
nameservers or lost connectivity shouldn't bring your nameserver
to a crawl. And now that happens. Not sure what a good solution
is, but there are lots of stubresolvers out there that keep
querying for the same name if it doesn't resolve (ServFail and
friends). Surely some caching (even if it's only 10 to
30 seconds) would help here.

> I'm pretty sure I could find enough addresses alone that
> won't respond to DNS queries to generate 1000 q/s to new
> nameservers with unique IP addresses and not have to reuse
> a address for weeks.

Exactly, and I want to see the nameserver hw that can handle this
(specially with bind9 :/). Says enough ...


Jan Gyselinck