Re: DNS was Re: Internet Vulnerabilities

[Måns Nilsson <mansaxel () sunet se>]

--On Friday, July 05, 2002 17:50:24 +0100 Simon Waters
<Simon () wretched demon co uk> wrote:


> I
> would guess the "." zone probably isn't that large in absolute
> terms, so large ISPs (NANOG members ?) could arrange for their
> recursive servers to act as private secondaries of ".", thus
> eliminating the dependence on the root servers entirely for a
> large chunks of the Internet user base.

-rw-r--r--   1 9998     213         14102 Jul 14 19:56 root.zone.gz
-rw-r--r--   1 9998     213            75 Jul 14 20:41 root.zone.gz.md5
-rw-r--r--   1 9998     213            72 Jul 14 20:42 root.zone.gz.sig

> I think the kinds of zones being handled by the gtld-servers
> would be harder to relocate, if only due to size, although the
> average NANOG reader probably has rather more bandwidth
> available than I do, they may not have the right kind of spare
> capacity on their DNS servers to secondary ".com" at short
> notice.

Exactly. The .com zone is large. I doubt that the average NANOG 
reader has a 16GB RAM machine idling just in case some kiddie 
wants to DoS Verisign. 

> All I think root server protection requires is someone with
> access to the relevant zone to make it available through other
> channels to large ISPs. There is no technical reason why key DNS
> infrastructure providers could not implement such a scheme on
> their own recursive DNS servers now, and it would offer to
> reduce load on both their own, and the root DNS servers and
> networks.

Network load is hardly the problem, except in very starved cases; 
a big well-used server will perhaps fill a T-1 or two. 

> The single limiting factor on implementing such an approach
> would be DNS know-how, as whilst it is probably a two line
> change for most DNS servers to forward to their ISPs DNS server
> (or zone transfer "."), many sites probably lack the inhouse
> skills to make that change at short notice.

This is the problem with "clever tricks"; they can be implemented
by people who are "in the loop", but most others will not make it 
work. 

> In practical terms I'd be more worried about smaller attacks
> against specific CC domains, I could imagine some people seeing
> disruption of "il" as a more potent (and perhaps less globally
> unpopular) political statement, than disrupting the whole
> Internet. Similarly an attack on a commercial subdomain in a
> specific country could be used to make a political statement,
> but might have significant economic consequences for some
> companies. Attacking 3 or 4 servers is far easier than attacking
> 13 geographically diverse, well networked, and well protected
> servers.
>
> Similarly I think many CC domains, and country based SLD are far
> more "hackable" than many people realised due to the extensive
> use of out of bailiwick data, as described by DJB. At some point
> the script kiddies will realise they can "own" a country or two
> instead of one website, by hacking one DNS server, and the less
> well secured DNS servers will all go in a week or two.

I definitely agree. ccTLDen are in very varying states of security 
awareness, and while I believe .il is aware and prepared, other 
conflict zone domains might not be... 

-- 
Måns Nilsson            Systems Specialist
+46 70 681 7204         KTHNOC  MN1334-RIPE

We're sysadmins. To us, data is a protocol-overhead.