[LINK] Attack On Internet Called Largest Ever
Wed, 23 Oct 2002 17:31:09 +1000
> On Wed, 23 Oct 2002, Roger Clarke wrote:
> > The thought struck me during this and other recent discussions re DNS
> > that the volume of traffic at the root servers would generally be
> > very low. That would be because the relatively small number of
> > domains for which the root servers are (equal) authoritative
> > name-servers are pretty stable, and hence the entries are cached all
> > over the place, and hence there don't need to be many enquiries to
> > them. They're effectively the reboot-mechanism of last resort.
On Wed, Oct 23, 2002 at 11:39:54AM +1000, Howard Lowndes wrote:
> I don't think this is true. My understanding (and I would like to be
> corrected if this is wrong) is that if a local DNS server is either not
> authoratitive for a domain, or does not have the requested address already
> cached, then its next place of recourse is directly to a root server and
> then steadily back down the chain.
> I originally thought that the process was steadily up the chain to a given
> point and then back down, but I was corrected on this only the other day.
> If my current assumption _is_ correct then the root servers will be
> getting a fair pasting and a DDoS would have severe impact.
> Please, someone, correct me if I am wrong.
It depends what the domains are. If the requests are for new TLDs, then
yes, you'll have to contact the root servers. If they're for new .com
or .com.au domains, then you can ask servers for the lowest level domain
you hold cached nameserver records for. It makes no sense for the local
cache to refresh still-valid data it already holds, right?
If I had just looked up xyz.com.au (by asking servers for ., .au and
.com.au) and then wanted to look up zyx.com.au I would only need to ask
the servers for .com.au because I would have those addresses cached from
my previous query. A request for xyz.net.au would be sent to the .au
servers. Only a query for xyz.com would require an answer from the root
servers (assuming I hadn't recently looked up another .com name).
The TTLs on the root NS RRs and the GTLD NS RRs are 6 days, and their
corresponding A records are 6 weeks and 6 days respectively. A DoS
attack would need to last quite a long time before a significant part
of the net would notice.
For Link list information see http://sunsite.anu.edu.au/link/