On 3/28/13, Ben Aitchison <ben@meh.net.nz> wrote:
On Tue, Mar 26, 2013 at 07:07:16PM -0700, Tom Paseka wrote:
Authoritative DNS servers need to implement rate limiting. (a client shouldn't query you twice for the same thing within its TTL).
The RFC doesn't say that is a should; a client MAY only query you once for a record within its TTL; the TTL is the duration after which the entry /must/ be expunged from the cache, it is an allowed maximum, not a minimum lifetime. A client may query plenty of times within its TTL. Sufficiently low rate limits on the authoritative would open the possibility of new kinds of attacks. If the authoritative DNS server decides to limit its rate of response, this might be used to conduct a DoS against the recursive nameserver's ability to lookup queries against the authoritative NS applying the limit. This could be leveraged remotely through a malicious website, remote loading bad image URLs from a significant number of non-existent subdomains, causing the rate limit to be attained. This may also be used to facilitate cache poisoning against legitimate recursors, targeting the domain whose authoritative servers apply a strict limit, by intentionally causing the recursor to make the maximum number of queries allowed, before sending spoofed responses. Especially a client that answers many different queries for a large number of clients and has limited cache sizes may query many times within a TTL. The average record cache lifetime might be 15 to 40 seconds (with as low as 1 second in cases), even if the record TTL is 86400. Or the cache may be manually flushed by the operator, in order to have a local DNS record change take effect more immediately (since most resolvers do not provide an admin command to flush only one zone from their cache). No guarantee is made about the size of the client's cache, number of records, or the client's cache aging policy. The response may be discarded or aged out, well before its TTL has elapsed. There may be other 'more popular' records on the same DNS resolver that are retained in the cache until TTL. Additional queries may be issued as a cache-poisoning avoidance mechanism. The same DNS servers might get queried multiple times successively for different records within the same zone.
unbound with it's dns-prefetching queries a dns servers again in I think the last 10% of ttl when returning hit to client to refresh ttl and keep it current.
-- -JH