Mitigation of server's load by queries for non-existing domains

Mukund Sivaraman muks at isc.org
Tue Jan 12 17:16:55 UTC 2016


Hi Tomas

On Tue, Jan 12, 2016 at 05:53:20PM +0100, Tomas Hozza wrote:
> Hello all.
> 
> Recently I was trying to find a mechanism in BIND that could prevent
> the server from processing a recursive query for non-existing
> domains. The issue I was trying to solve was that when server was
> getting too many queries for such domains it was not able to handle
> other relevant queries. The non-exiting domains have just few common
> non-existing parent domains, so one can match most of them by wildcard
> RR.

The attack you are describing is probably the well-known-by-now attack
called "water torture" or "random subdomain" attack. If you search for
these phrases, you'll see several presentations made on the topic.

> I was thinking about using RPZ with QNAME policy trigger, but this
> applies only to the responses to queries and still makes the server to
> try to resolve it. As far as I'm familiar with RRL, it will also not
> help, since it also applies to the response to a query.
> 
> One possible solution that came to my mind was to define a zone for
> each of the "parent" domains and then just return localhost address or
> something similar to any query to that domain. I know this is kind of
> dummy, but this was the first thing that came to my mind. I know the
> server will still process the query, but will at least not do any
> recursion.
> 
> Is there any better mechanism to solve such problem?

This is an on-going problem for DNS and several measures are being
considered:

Making aggressive use of NSEC/NSEC3:
https://tools.ietf.org/html/draft-fujiwara-dnsop-nsec-aggressiveuse-01

Bloom filtering from queries:
https://github.com/hdais/unbound-bloomfilter

Evan Hunt is considering proposing another bloom filtering method by
using a bloom bitfield RR. We are thinking of what else could help,
including tagging of malware clients via RPZ zones provided by relevant
feed providers.

There are some measures in 9.10.3 (read about "fetches-per-server" and
"fetches-per-zone" in the ARM).

		Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160112/7426300d/attachment.bin>


More information about the bind-users mailing list