On Mon, Mar 28, 2016 at 05:38:01AM +0000, abby pan <[email protected]> wrote a message of 246 lines which said:
> 1) baofeng recursive ddos attack(2009): > http://www.pcworld.com/article/165319/article.html A more technical reference for this attack is the OARC talk <https://www.dns-oarc.net/files/workshop-200911/Ziqian_Liu.pdf> > 2) baidu dns hijack(2010): > http://www.zdnet.com/article/baidu-dns-records-hijacked-by-iranian-cyber-army/ This paper says it was purely social engineering on the registrar. No change in the DNS would help. > The selection is automatic, commonly TOP-N domain names. OK, so if I want my own personal vanity domain name to be well cached, I just have to hire a botnet to send many requests for bortzmeyer.org. Also, it seems you mix "important" with "often queried". impots.gouv.fr (the tax service) is important in France, if you cannot reach it, you'll not be able to pay and you wil be fined. But it does not see a lot of requests, typical people use it once a year. > How long will the SERVFAIL cache last usually depend on ISP network > bgp status, especially when recursive send dns query when the ns > server is in other ISP. You mean the name server has to know BGP? > The pre-fetching is something like link-fetching( > https://en.wikipedia.org/wiki/Link_prefetching ), shortten the response > time. > Again, pre-fetching is part of "backup cache" for ddos attack resuce or > baidu hijack rescue, etc. I did not say pre-fetching is bad, I said it does not require any change in the DNS server (it can be done from the outside). > In "baofeng recursive ddos attack": short domain TTL + ns shutdown + > huge amount client fail and retry prolonging the TTL can partly > defense the attack. I did not say increasing the TTL is bad, I said it is a change in the protocol and therefore your draft has to declare it updates RFC 1034 (and 1035). > Sometimes recursive receive hijack data (cache-poisoning attack). > if there is an security analysis module, users will more benefits. If it is just asserting the validity of data before returning it to the user, what do you need besides the already existing RFC 2181 (section 5.4.1) and RFC 5452 (specially sections 6 and 9)? _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
