North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DNS was Re: Internet Vulnerabilities
--On Friday, July 05, 2002 17:50:24 +0100 Simon Waters <[email protected]> wrote: > I > would guess the "." zone probably isn't that large in absolute > terms, so large ISPs (NANOG members ?) could arrange for their > recursive servers to act as private secondaries of ".", thus > eliminating the dependence on the root servers entirely for a > large chunks of the Internet user base. -rw-r--r-- 1 9998 213 14102 Jul 14 19:56 root.zone.gz -rw-r--r-- 1 9998 213 75 Jul 14 20:41 root.zone.gz.md5 -rw-r--r-- 1 9998 213 72 Jul 14 20:42 root.zone.gz.sig > I think the kinds of zones being handled by the gtld-servers > would be harder to relocate, if only due to size, although the > average NANOG reader probably has rather more bandwidth > available than I do, they may not have the right kind of spare > capacity on their DNS servers to secondary ".com" at short > notice. Exactly. The .com zone is large. I doubt that the average NANOG reader has a 16GB RAM machine idling just in case some kiddie wants to DoS Verisign. > All I think root server protection requires is someone with > access to the relevant zone to make it available through other > channels to large ISPs. There is no technical reason why key DNS > infrastructure providers could not implement such a scheme on > their own recursive DNS servers now, and it would offer to > reduce load on both their own, and the root DNS servers and > networks. Network load is hardly the problem, except in very starved cases; a big well-used server will perhaps fill a T-1 or two. > The single limiting factor on implementing such an approach > would be DNS know-how, as whilst it is probably a two line > change for most DNS servers to forward to their ISPs DNS server > (or zone transfer "."), many sites probably lack the inhouse > skills to make that change at short notice. This is the problem with "clever tricks"; they can be implemented by people who are "in the loop", but most others will not make it work. > In practical terms I'd be more worried about smaller attacks > against specific CC domains, I could imagine some people seeing > disruption of "il" as a more potent (and perhaps less globally > unpopular) political statement, than disrupting the whole > Internet. Similarly an attack on a commercial subdomain in a > specific country could be used to make a political statement, > but might have significant economic consequences for some > companies. Attacking 3 or 4 servers is far easier than attacking > 13 geographically diverse, well networked, and well protected > servers. > > Similarly I think many CC domains, and country based SLD are far > more "hackable" than many people realised due to the extensive > use of out of bailiwick data, as described by DJB. At some point > the script kiddies will realise they can "own" a country or two > instead of one website, by hacking one DNS server, and the less > well secured DNS servers will all go in a week or two. I definitely agree. ccTLDen are in very varying states of security awareness, and while I believe .il is aware and prepared, other conflict zone domains might not be... -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
|