On Thu, Jun 25, 2020 at 10:20:49PM +0530, Mukund Sivaraman wrote:
> For whoever is interested, this is a description of a pattern of queries
> noticed at busy public resolvers that has led to issues in at least 4
> different sites in the last 2 months.
>
> The current revision is a work in progress. We are still developing some
> mitigations for NIOS, and some more introductory text also has to be
> added.
This might be another mitigation:
3) "EFMB Caching: Endless Forms Most Beautiful Caching" [0]
Since DNS messages are often disposed of in tens of ms, and
authorities express TTL in whole second increments, recursive
pools might adjust the 'smaller TTLs' (perhaps defined as <5 min)
to any prime number within, say, +/-10% or more of the answer TTL.
So a 60 second TTL become perhaps 53, 59, 61, 67, or 71 etc.
Such adjustment is picked uniquely (perhaps using L2 internals or
UUIDs) by nodes in a recursive farm. Upon expiration, the herd of
expired recursives forms an in-order refresh to the authority,
spaced by seconds or more. The software changes for this behavior
appear minimal, as it slightly adjusts a TTL just prior to
caching, with reference to some UUID, MAC, etc.
This avoids the need to share cache additions among a recursive
pool---an expensive and complex task that amplifies mass cache
ejection attacks cause by, e.g., Facebook's session-specific
dynamic domains.
Using your "thundering herd" metaphor, this is like the natural
selection of prime numbers in insect swarming populations (e.g.,
13-year cicadas are common, since the 2- 4- and 6- year cicada
populations coincided with periodic predator increases, and were
not selected over generations. (Cf.
https://cims.nyu.edu/~eve2/predprey.pdf ).
This is a very interesting problem, so thanks for addressing this,
even if this idea doesn't prove useful.
[0] Darwin: "whilst this planet has gone cycling on according to the
fixed law of gravity, from so simple a beginning endless forms most
beautiful and most wonderful have been, and are being, evolved." So
too has DNS followed seemingly fixed basic laws, and yet changed
endlessly to address complex problems, real or perceived.
--
David Dagon
[email protected]
D970 6D9E E500 E877 B1E3 D3F8 5937 48DC 0FDC E717
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
