It's still sad that we lost open SMTP relays. It's sad that we're losing open DNS resolvers too. Shame to see the internet continue to get more locked down and less open.
I used to find it quite handy to query the DNS of a customer's ISP, etc, when debugging.
I think a better long term solution is moving to transport protocols like SCTP and choosing cookies that put computational burden on the initiator. Of course it would make the mobile sector unhappy.
Authoritative DNS servers are used in attacks too, they are however a lot smaller scale. Querying one big zone across 10,000 recursive servers vs. querying the same big zone against 2 authoritative servers.
Wow, that's a really good question. Thinking about this a bit, I don't think authoritative servers pose as big of a problem in practice. DNS amplification attacks require that the size of the response be much larger than the size of the query (which is why it's an "amplification" attack). Right now amplification attacks query for the same large response via lots of different open resolvers. However, I suspect the majority of authoritative servers out there only ever return small responses, which would limit the number of servers an attacker could use in an amplification attack. Furthermore, the attacker would need to tailor a specific query for each server rather than using the same query for all of them, making the attack more difficult to pull off.
What's the impact of this kind of thinking on intentionally "misconfigured" DNS resolvers like Google Public DNS, OpenDNS, etc? Is CloudFlare pushing for a world where I have no choice but my ISP's DNS servers, which return their advertising server's IP instead of NXDOMAIN?
Google Public DNS uses rate limiting and some heuristics to reduce the likelihood of being used in a DNS amplification attack [1]. I presume OpenDNS does something similar.
Even if public DNS resolvers didn't exist, you could still run your own private recursive name server (either on your computer or on your home router) and avoid your ISP's. That's what I do.
12 comments
[ 3.8 ms ] story [ 40.3 ms ] threadI think a better long term solution is moving to transport protocols like SCTP and choosing cookies that put computational burden on the initiator. Of course it would make the mobile sector unhappy.
Is the next logical step going to be war on "open" authoritative DNS servers?
Even if public DNS resolvers didn't exist, you could still run your own private recursive name server (either on your computer or on your home router) and avoid your ISP's. That's what I do.
[1] https://developers.google.com/speed/public-dns/docs/security...