On Wed, 13 Apr 2005, at 11:17, David MacQuigg wrote:
Let's call this scenario E2a, since we are moving beyond the original
assumptions of E2. In E2a, rr.com does not publish SRV records for 1000
servers, but does have SPF records for each of 75 subdomains. We need to
make some additional assumptions now, so I will define E2a1.
In E2a1, the queries all have valid third-level subdomains, like
austin.rr.com. serv138.austin.rr.com is fake, but it takes two queries to
find that out, one to rr.com, and another to austin.rr.com (actually more
if we include the redirects and mx queries currently in the
records). Assuming we still have 1000 unique fake names (scenario E2),
then the number of queries and cached records for each MTA is 1075.
*If* you have nothing cached for austin.rr.com the first time you
see a connection "from" serv138.austin.rr.com, your mail server
will issue one query to its DNS server, which will issue several
iterative queries; in the worst case:
- Query to authoritative server for "." to find the
authoritative servers for ".com"
- Query to an authoritative server for ".com" to find the
authoritative servers for "rr.com" (four NS records cached
as a result of this query
- Query to an authoritative server for "rr.com" to find
information about serv138.austin.rr.com; the NS records
(two) for austin.rr.com will be returned by this query and
cached
- Query to an authoritative server for austin.rr.com, for
which an NXDOMAIN will be returned for the fake server; this
NXDOMAIN record should also be cached.
You won't have to do any SPF or CSV record queries for
non-existent hostnames; one presumes you'd reject the connection
immediately based on the claimed hostname not existing, rather
than taking the extra step of trying to authenticate/validate
that which does not already exist.
Caching 1,075, or even 2,000, DNS resource records is not that
expensive, really. Here's the output of a little perl I hacked
together using Net::DNS:
Size of TXT record answer for rr.com is 411 bytes
Size of NS record answer for rr.com is 164 bytes
Size of NS record answer for rr.com is 164 bytes
Size of NS record answer for rr.com is 164 bytes
Size of NS record answer for rr.com is 164 bytes
Size of NS record answer for austin.rr.com is 87 bytes
Size of NS record answer for austin.rr.com is 87 bytes
Size of A record answer for vamx01.mgw.rr.com is 191 bytes
Query for A record for vamx61.mgw.rr.com yielded NXDOMAIN
This answer is 82 bytes long
No telling what a given nameserver implementation might do with
those bytes, but expanding them into more doesn't seem like a
likely scenario. 1,000 NXDOMAINS means a little over 8K of
cache, I'd think.
--
Todd Herr
Senior Security Policy Specialist/Postmaster V: 703.345.2447
Time Warner Cable IP Security M: 571.344.8619
therr(_at_)security(_dot_)rr(_dot_)com AIM:
RRCorpSecTH