Introduction to DNS-OARC

Submitted by admin on Thu, 07/03/2008 - 22:40
The DNS Operations, Analysis, and Research Center (DNS-OARC) brings together key operators, implementors, and researchers on a trusted platform so they can coordinate responses to attacks and other concerns, share information and learn together. DNS-OARC has five key functions:
  • Information Sharing. DNS-OARC provides a trusted, shared platform to allow the DNS operations community to share information and data. Stringent confidentiality requirements and secure communications mean that proprietary information can be shared on a bilateral basis.
  • Operational Characterization. As Internet traffic levels continue to grow, the demand on root and other key nameservers will outgrow the current infrastructure: this year's DDoS attack traffic levels will become next year's steady state load. DNS-OARC measures the performance and load of key nameservers and publish statistics on both traffic load and traffic type (including error types).
  • Workshops. DNS-OARC organizes semi-annual workshops where members and the public are invited to give presentations on timely topics relevant to DNS both operations and research.
  • Analysis. Leading researchers and developers provide long-term analysis of DNS performance and post-mortems of attacks so that institutional learning occurs. A well-provisioned system allows members to upload traces and logs, and to perform their own analysis.
  • Tools and Services. As vulnerabilities and DNS problems come to light, DNS-OARC develops publicly available tools and services to assist with highlighting, diagnosing, and remedying such problems.

Mitigating DNS Denial of Service Attacks

The DNS protocol is, unfortunately, an effective Denial-of-Service attack vector for a few reasons:
  • DNS generally uses the connectionless User Datagram Protocol (UDP) as its transport.
  • Many autonomous systems allow source-spoofed packets to enter their network.
  • There is no shortage of Open Resolvers on the Internet.
These three factors mean that attackers can create large amounts of unwanted response packets by reflecting DNS queries off open resolvers. In such an attack, a DNS query is generated with spoofed source IP addresses belonging to the victim. You can help reduce the effectiveness of these attacks by following the recommendations described below:

OARC's DNS Reply Size Test Server

Recent increases in DNSSEC deployment are exposing problems with DNS resolvers that cannot receive large responses. The maximim reply size between a DNS server and resolver may be limited by a number of factors:
  • If a resolver does not support the Extension Mechanisms for DNS (EDNS), replies are limited to 512 bytes.
  • The resolver may be behind a firewall that blocks IP fragments.
  • Some DNS-aware firewalls block responses larger than 512 bytes.
The BIND resolver, since version 9.5.0, includes a feature to decrease its advertised EDNS rec