Re: [dns-operations] s3.amazonaws.com problem - price to pay for not using DNSSEC

Thu, 24 Oct 2019 01:58:33 -0700 

On 23. 10. 19 14:37, Daniel Stirnimann wrote:
> I have located a host in our network which sends such queries the
> network resolver (which we operate):
> 
> mqfgioo5.s3.amazonaws[.]com. IN CNAME
> 6l-dpfrn.s3.amazonaws[.]com. IN CNAME
> 2idg5c42.s3.amazonaws[.]com. IN CNAME
> qzq3uz5m.s3.amazonaws[.]com. IN CNAME
> nenkxm2p.s3.amazonaws[.]com. IN CNAME
> yk2max6j.s3.amazonaws[.]com. IN CNAME
> qhcbric2.s3.amazonaws[.]com. IN CNAME
> wg-jmekf.s3.amazonaws[.]com. IN CNAME
> dnwn2ip1.s3.amazonaws[.]com. IN CNAME
> 711o385.s3.amazonaws[.]com. IN CNAME
> rn0v02a6.s3.amazonaws[.]com. IN CNAME
> pm1a3a4t.s3.amazonaws[.]com. IN CNAME
> 0xc.tibo.s3.amazonaws[.]com. IN CNAME
> 76jt.m9g.s3.amazonaws[.]com. IN CNAME
> 4tjc8hp.s3.amazonaws[.]com. IN CNAME
> b-.9ft7y.s3.amazonaws[.]com. IN CNAME

Funnily enough this attack would have been partially mitigated on resolver side 
if S3 domain was signed with DNSSEC!

New versions of resolvers already implement RFC 8198 which makes 
random-subdomain attacks ineffective against DNSSEC-signed domains. With 1/3 of 
clients in the world behind DNSSEC-validating resolver it would already make a 
difference.

This "protection effect" of signing + RFC 8198 was experimentally confirmed by 
measurements back in March 2018 and reported by me at DNS-OARC 28 meeting. 
Slides:
https://indico.dns-oarc.net/event/28/contributions/509/attachments/479/786/DNS-OARC-28-presentation-RFC8198.pdf

Update from 2019:
Slight latency increase reported on slide 9 is in fact bug in BIND 
implementation and not feature of the protocol.

Petr Špaček  @  CZ.NIC


> 
> Interestingly, it also sends other suspicious queries such as:
> 
> . IN TYPE1847
> . IN TYPE1847
> . IN TYPE567
> . IN TYPE1847
> . IN TYPE567
> . IN TYPE1847
> . IN TYPE1847
> . IN TYPE1900
> . IN TYPE823
> . IN TYPE1900
> . IN TYPE1847
> 7a4. IN TYPE868
> . IN TYPE1847
> . IN TYPE1847
> . IN TYPE1900
> . IN TYPE1847
> . IN TYPE1847
> 3n2y. IN TYPE612
> . IN TYPE311
> . IN TYPE1900
> 
> However, these are mostly answered from cache because of aggressive use
> of DNSSEC-validated cache. Still, I guess root server operators may see
> an increase in queries with unassigned query types.
> 
> Daniel
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Reply via email to