Mitigating DNS Denial of Service Attacks

The DNS protocol is, unfortunately, an effective Denial-of-Service attack vector for a few reasons:
  • DNS generally uses the connectionless User Datagram Protocol (UDP) as its transport.
  • Many autonomous systems allow source-spoofed packets to enter their network.
  • There is no shortage of Open Resolvers on the Internet.
These three factors mean that attackers can create large amounts of unwanted response packets by reflecting DNS queries off open resolvers. In such an attack, a DNS query is generated with spoofed source IP addresses belonging to the victim. You can help reduce the effectiveness of these attacks by following the recommendations described below:

OARC's TLDmon Service

OARC's TLDmon uses Nagios to monitor operational characteristics of authoritative nameservers for the Root Zone and all Top Level Domains. TLDmon checks for authoritative answers, EDNS support, lame delegations, consistent NS RR sets, open resolvers, expired RRSIGs, matching serial numbers, and TCP support. As the Domain Name System continues its evolution, it becomes increasingly important that these critical nameservers are configured correctly.

2014 OARC Elections

During the 2014 OARC Annual General Meeting we will be electing three seats on the OARC Board of Directors. The seats becoming available are doing so on the following basis:
  • Existing Board member Antoin Verschuren's (SIDN) two-year term has ended. Antoin will not be standing for re-election.
  • Existing Board member Ondrej Filip's (CZ.NIC) two-year term has ended. Ondrej will be standing for re-election.
  • Existing Board member John Crain's two-year term has ended.

DNS Looking Glass Information

Submitted by admin on Mon, 05/12/2014 - 12:45

There are a number of DNS Looking Glass sites around the Internet that will allow anyone to send a DNS query from that location. Looking Glasses are of particular use in the case of troubleshooting a problem with a DNS zone that is served from an anycasted service. In the event of a problem with the service, the view of a zone can be very different from distant places on the Internet. Here is a list of some of the known looking glass sites around the Internet:

OARC Spring 2014 Workshop and EGM (Warsaw)

The agenda for DNS-OARC's 2014 Spring Workshop and Member EGM on the 10th and 11th May, in Warsaw, Poland is now available here. This will be held at the same location the subsequent RIPE68 meeting, and we're grateful to Microsoft and Verisign for being our main sponsors for this workshop. Our talks include a study of Open Resolvers, on detection of Botnet Domains, and on connection-oriented improvements to DNS security.