Mitigating DNS Denial of Service Attacks

The DNS protocol is, unfortunately, an effective Denial-of-Service attack vector for a few reasons:
  • DNS generally uses the connectionless User Datagram Protocol (UDP) as its transport.
  • Many autonomous systems allow source-spoofed packets to enter their network.
  • There is no shortage of Open Resolvers on the Internet.
These three factors mean that attackers can create large amounts of unwanted response packets by reflecting DNS queries off open resolvers. In such an attack, a DNS query is generated with spoofed source IP addresses belonging to the victim. You can help reduce the effectiveness of these attacks by following the recommendations described below:

OARC 2015 AGM Board Election Results

The following candidates were re/elected to the OARC Board for 2-year terms:
  • Paul Ebersman (Comcast)
  • David Knight (Dyn)
  • Duane Wessels (Verisign)
OARC welcomes Paul Ebersman to the Board and congratulates him and the re-elected Board members on their successful election.

Our sincere thanks to Jim Galvin for his service and support to OARC over the past year.

OARC's TLDmon Service

OARC's TLDmon uses Nagios to monitor operational characteristics of authoritative nameservers for the Root Zone and all Top Level Domains. TLDmon checks for authoritative answers, EDNS support, lame delegations, consistent NS RR sets, open resolvers, expired RRSIGs, matching serial numbers, and TCP support. As the Domain Name System continues its evolution, it becomes increasingly important that these critical nameservers are configured correctly.