[nsp-sec] Solutions for the DNS vul? - Suggestion

[Florian Weimer]

* jonathan curtis:

> 1. Two tier server architecture for all DNS cache systems.
>         -  Larger ISP's have 20+ DNS Cache servers, this concept is to create a pool of 4-5 Cache Authority servers and point the 20+ caching servers to them for upstream resolution. Then place more protection and security measures on those 4-5 servers where performance isn't going to be as much of a concern.  This also provides for a good place to do DNS domain/name-server reputation and injection for phishing / botnet domains.

Does really help because with most implementations, the real cost is
in the cache miss.  And this gets expensive if you use multiple source
ports, no matter what.  You could use a more efficient implementations
on the out resolvers, though.

>         - Implement NIDS/NIPS/other products in front of the
>         Auth-Cache servers.

I guess there won't be any signatures for attacks in general, only for
specific tools. 8-(

> 2. Implement TLD's within your AS - a shorter path to the right
> answer might beat out a wrong answer ... < John K.  This might be
> the key to justifying it. >

In my lab tests, the RTT did not have significant impact on the time
to success.  It gets more difficult when you approach 0ms, of course,
but how realistic is that for a large AS?  In the 20ms range, the
attack is still totally feasible.  And the smaller ASes probably can't
get TLD servers.

You can make your resolvers authoritative for the root, though.  Some
give explicit permission to transfer the zone from their servers.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99