Stephane Bortzmeyer <[email protected]>于2016年3月29日周二 下午9:48写道:
> On Mon, Mar 28, 2016 at 05:38:01AM +0000, > abby pan <[email protected]> wrote > a message of 246 lines which said: > > > 1) baofeng recursive ddos attack(2009): > > http://www.pcworld.com/article/165319/article.html > > A more technical reference for this attack is the OARC talk > <https://www.dns-oarc.net/files/workshop-200911/Ziqian_Liu.pdf> > > yes, in ziqian_liu's talk , they "Increase the TTL of baofeng.com related RRs" on the cache to rescue > > 2) baidu dns hijack(2010): > > > http://www.zdnet.com/article/baidu-dns-records-hijacked-by-iranian-cyber-army/ > > This paper says it was purely social engineering on the registrar. No > change in the DNS would help. > if cache can temporary prolong the ttl of baidu ns, that will help. > > The selection is automatic, commonly TOP-N domain names. > > OK, so if I want my own personal vanity domain name to be well cached, > I just have to hire a botnet to send many requests for bortzmeyer.org. > > Also, it seems you mix "important" with "often > queried". impots.gouv.fr (the tax service) is important in France, if > you cannot reach it, you'll not be able to pay and you wil be > fined. But it does not see a lot of requests, typical people use it > once a year. > yes, simply online TOP-N is easy to around. But the "hot" domain we can pre-set, as your example, like "*.gov.cn", “ qq.com", "baidu.com", "taobao.com" in china. We manage the "most important" domain list, not just from dns query count, but also the service data flow associated with the domain, also from some company alliance. > > How long will the SERVFAIL cache last usually depend on ISP network > > bgp status, especially when recursive send dns query when the ns > > server is in other ISP. > > You mean the name server has to know BGP? > I mean if cache server can check the NS BGP status with some addtional module, the rtt of dns query will be benefits. But as Evan Hunt says, that's not "should" , but can be a choice. > > > The pre-fetching is something like link-fetching( > > https://en.wikipedia.org/wiki/Link_prefetching ), shortten the response > > time. > > Again, pre-fetching is part of "backup cache" for ddos attack resuce or > > baidu hijack rescue, etc. > > I did not say pre-fetching is bad, I said it does not require any > change in the DNS server (it can be done from the outside). > I did not say that need change in the DNS server's normal task. but it can be some additonal module to active when encounter ddos or hijack ( outside the normal case ) . > > > In "baofeng recursive ddos attack": short domain TTL + ns shutdown + > > huge amount client fail and retry prolonging the TTL can partly > > defense the attack. > > I did not say increasing the TTL is bad, I said it is a change in the > protocol and therefore your draft has to declare it updates RFC 1034 > (and 1035). > same as above, it can be some additonal module to active when encounter ddos or hijack ( outside the normal case ) . so that's not change in the protocol, not change the normal dns query/response. it's actived to auto defense when huge count to 1s TTL suddenly rise. > > > Sometimes recursive receive hijack data (cache-poisoning attack). > > if there is an security analysis module, users will more benefits. > > If it is just asserting the validity of data before returning it to > the user, what do you need besides the already existing RFC 2181 > (section 5.4.1) and RFC 5452 (specially sections 6 and 9)? > again, it is not change the protocol, but some additional module to validate the data in cache dns operation. comodo, opendns has give the protect service : http://www.computerworld.com/article/2872700/6-dns-services-protect-against-malware-and-other-unwanted-content.html for example, detect hijack phishing ip of xxx.qq.com , help to correct or block it. -- Best Regards Pan Lanlan Tel: +86 186 9834 2356
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
