Discuss mailing list

[Falk Husemann <josen AT paketsequenz.de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Alex,

I wrote a quite lengthy reply to your questions, but want to send some
things ahead. If you want to improve security, you need a better
understanding of what your problem is. Here, ask yourself:

What do you want to defend against whom for how long?

Your post - to me - reads like: I want to defend everything against
everybody for ever, which is impossible. I have a feeling you have lots
of good questions, but lack the methodology to work out answers.

If I were you, I'd start with profiling what you want to defend against
and for how long. Write that down and post here, so we can work from there.

Also keep in mind, that security provides no additional use to the
OpenNIC community if there is no adversary in sight. If there were no
burglars, you wouldn't need locks in your doors, would you? So dont
expect too enthusiastic response when you propose security measures
which involve lots of work (every single command has to be replicated to
all servers, keep that in mind!) but provide no immediate benefit.

Am 02.05.2012 07:22, schrieb Alex:
> Out of sheer curiosity, and a desire to protect my friend, Alex
> Hanselka's pet project, I wanted to ask you all what all can be done to
> mitigate the threat of attacks such as concerted DDOS attacks against
> specific name servers, such as the IP address of the single
> authoritative root name server of OpenNIC.

There is exactly nothing you can do, to protect against a massive scale
DDoS. But theres a lot that can be done against the normal threats a
nameserver faces. Also drawing the picture of an omnipotent attacker is
well, undefendable against. Most times though, the adversary is _not_
omnipotent.

> What attack countermeasures are possible, to mitigate attack, other than
> the obvious anti-cracking things like making sure you have a strong
> password, etc?

There should be no passwords involved when running a nameserver. I guess
you mean securing rndc access and access to remote shell services like
OpenSSH. Well, standard advice: Dont use passwords for SSH and limit
rndc to localhost.

> Is it wise to protect root name servers behind a VPN, or do the root
> name servers HAVE to be publicly accessible?

Read up on DNS and think again. If you dont understand the architecture
of DNS, a debate on security is free of sense. I recommend reading

The Concise Guide to DNS and BIND (by Nicolai Langfeldt), published by
Que (ISDN 0-7897-2273-9). The book is quite a good read by the DNS-HowTo
author.

> If the root name servers, and top-level domain name servers MUST be
> publically addressible, do the authoritative name servers have to be
> publically addressible, or can they hide behind name server proxies?
> (application-layer proxies, for example, such as specialized name
> servers which ONLY act to duplicate records, and are not actually
> responsible for them?)

What would be the benefit?


> Maybe I'm betraying my lack of knowledge, maybe I'm ignorant, but if I
> dont ask, I wont learn, and I rather like OpenNIC, and think the project
> has a lot of potential.

I agree.

> That said, i worry that the project is completely open to attack, and
> that if we are used for anything critical, the first DDOS would bring us
> down, and it would be an embarrassing defeat.

True, theres that. And then theres this:

<SNIP>
#!/bin/bash

function axfrall()
{
        dig @${1} axfr geek
        dig @${1} axfr neo
        dig @${1} axfr fur
        dig @${1} axfr ing
        dig @${1} axfr micro
        dig @${1} axfr bbs
        dig @${1} axfr dyn
        dig @${1} axfr gopher
        dig @${1} axfr free
        dig @${1} axfr geek
        dig @${1} axfr indy
        dig @${1} axfr null
}
TMPFILE=/tmp/onic$RANDOM
axfrall 84.200.228.200 | grep -o
'[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq >
${TMPFILE}
nmap -A -p 21,23,80,443 -iL ${TMPFILE} -oA opennic -vvv
<SNAP>

> 1) What is the standard operating procedure for protecting name servers
> against DOS attacks?

Query rate limiting.


> 2) How does one protect name servers from being targeted in the first
> place?
Not running one is the best protection.

> 3) What can be done to protect servers from taking the full brunt of
> heavy loads?

Scale. Instead of n nameservers, run n+x nameservers. Thats one of the
things DNS does very good.

> 4) What load balancing techniques are standard practice for name servers?

Anycast. Also keepalived can be a solution to increase availability in
case of hardware failure, but is no help when this omnipotent attacker
floods your bandwidth.

> 5) What might be some novel techniques to protect name servers from
> taking the full blow of sudden surges in user demand?

Shut the overloaded nameserves off. This would be a very radical and new
approach, though I dont recommend it ;-) See my answer to your point 3)
for a useful hint.

> 6) are there any P2P name server protocols to help distribute the load
> and take the strain off authoritative TLD name servers?

What exactly is wrong with DNS that needs fixing with P2P? It seems this
is a solution looking for a problem.

> 7) Is there such a thing as name server software that allows for DNSSEC
> and DANE that makes it easy to rotate certificates?

See 6).

> 8) Is there such a thing as name server software that is easy to
> configure, period?

Yes. Bind.

> 9) Is there such a thing as name servers that serve as mirrors/proxies
> for authoritative servers, and do nothing else?

You need to buy this book, Alex. Really. The DNS was designed with this
in mind, so there are caches and mirrors (called secondary nameservers).
You're just now using the DNS Cache your local router and/or your ISP
provides.

> 10) is it possible to have 30 powerful name servers located on distinct
> networks all over the world sit behind a single IP address using a fast
> iptables/proxychains proxy?

I guess, using the REDIRECT target. But this is stupid. You've just
introduced a new single point of failure this omnipotent adversary can
target. Anycast would be the solution here. Or more simple: See 3).

> 11) Is it possible to have more than one name server delegation for a
> given domain name? (just want this verified, clarified)

Yes, you can have as many as you want.

Greets,
Falk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPoPRYAAoJEPPG1NATKThtI4kH/2ChT9Yaa9CNy/bqfljLgl0F
8FtF9f8OwGwapvUCrlKUYM2HvFjf1BMmyUPIOPz9EPi8wx2ZVaVGOa8E24cV24GR
MAsotAcLIUnvsGGShDhEr52AR7L/jRx8MWxW65z4eRzVhTAJ+cdUZI3vXk4xD4PG
d9WUOVv+THnb3J/mpbnQb1B3SCemjXvL3f09OMSqHcjuV02fjxkd60ALlHCk+6HC
Kdprb4lN0XAuZXinmSxZ0DGKXr6GKQbInQKdZbNHZRe+6QZqqOR38EAFkFu+2vXV
3iMC62eVVe2tvmQ3aCoVJ3Bvol3B7CE3xyJVGF/ndDiBxGioO3rUurIhEVpgoCE=
=A9iW
-----END PGP SIGNATURE-----