Eircom have been having problems with internet connectivity. It’s hard to get information about exactly what they’re seeing, but there seem to be 2 aspects to it:
- Eircom are getting hit with a lot of packets
- Customers have sometimes been directed to strange sites by Eircom’s DNS servers
Justin Mason has a good overview of the news coverage. There some points of his worth correcting though:
- The Kaminsky attack takes less than seconds against servers which do not randomise the QID.
- No DNS server is immune to being poisoned by spoofed QID – even with randomised QIDs, DNS servers can still be poisoned in just 10 hours, at GigE rates of spoofing.
I.e. DDoS levels of incoming DNS packets are consistent with a poisoning attack on up-to-date DNS servers, which randomise QID.
The moral of the story here is that using recursive, caching DNS servers that are shared on any significant scale, like ISP nameservers or (even worse) OpenDNS, is just unhygienic. They’re just fundamentally flawed in todays internet environment, as they’re juicy targets for poisoning, until DNSSec is widely deployed. When finally DNSSec is deployed, shared, recursive nameservers remain a bad idea as they terminate the chain of the trust – the connection between the NS and client can still be spoofed.
- Technical users and systems admins should install local, recursive nameservers. Preferably on a per-system basis.
- Operating system vendors should provide easily-installed recursive nameservers and should consider installing and configuring their use by default. (Fedora provides a convenient ‘caching-nameserver’ package, and also a new dnssec-conf package with F11, though not enabled by default).
- Consumer router vendors already ship with recursive servers, but tend to forward queries to the ISP – they should stop doing that and just provide full recursive service (hosts already do caching of lookup results anyway).
Widely shared, recursive nameservers are a major security risk and really should be considered an anachronism. It’s time to start gettting rid of them…