Discuss mailing list

[Alex <coyo AT darkdna.net>]

Out of sheer curiosity, and a desire to protect my friend, Alex
Hanselka's pet project, I wanted to ask you all what all can be done to
mitigate the threat of attacks such as concerted DDOS attacks against
specific name servers, such as the IP address of the single
authoritative root name server of OpenNIC.

What attack countermeasures are possible, to mitigate attack, other than
the obvious anti-cracking things like making sure you have a strong
password, etc?

Is it wise to protect root name servers behind a VPN, or do the root
name servers HAVE to be publicly accessible?

If the root name servers, and top-level domain name servers MUST be
publically addressible, do the authoritative name servers have to be
publically addressible, or can they hide behind name server proxies?
(application-layer proxies, for example, such as specialized name
servers which ONLY act to duplicate records, and are not actually
responsible for them?)

Maybe I'm betraying my lack of knowledge, maybe I'm ignorant, but if I
dont ask, I wont learn, and I rather like OpenNIC, and think the project
has a lot of potential.

That said, i worry that the project is completely open to attack, and
that if we are used for anything critical, the first DDOS would bring us
down, and it would be an embarrassing defeat.

So, to that end, I have a few more questions to pelt you guys with, if
you don't mind...

1) What is the standard operating procedure for protecting name servers
against DOS attacks?

2) How does one protect name servers from being targeted in the first
place?

3) What can be done to protect servers from taking the full brunt of
heavy loads?

4) What load balancing techniques are standard practice for name servers?

5) What might be some novel techniques to protect name servers from
taking the full blow of sudden surges in user demand?

6) are there any P2P name server protocols to help distribute the load
and take the strain off authoritative TLD name servers?

7) Is there such a thing as name server software that allows for DNSSEC
and DANE that makes it easy to rotate certificates?

8) Is there such a thing as name server software that is easy to
configure, period?

9) Is there such a thing as name servers that serve as mirrors/proxies
for authoritative servers, and do nothing else?

10) is it possible to have 30 powerful name servers located on distinct
networks all over the world sit behind a single IP address using a fast
iptables/proxychains proxy?

11) Is it possible to have more than one name server delegation for a
given domain name? (just want this verified, clarified)

Attachment: 0xC34ED745.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature