Stories
Slash Boxes
Comments

SoylentNews is people

posted by NCommander on Thursday August 25 2016, @01:00PM   Printer-friendly
from the you-can-haz-RRSIG dept.

In the ongoing battle of site improvements and shoring up security, I finally managed to scratch a long-standing itch and signed the soylentnews.org domain. As of right now, our chain is fully validated and pushed to all our end-points.

Right now, I'm getting ready to dig in with TheMightyBuzzard to work on improving XSS protection for the site, and starting to lay out new site features (which will be in a future post). As with any meta post, I'll be reading your comments below.

~ NCommander

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Friday August 26 2016, @09:49AM

    by Anonymous Coward on Friday August 26 2016, @09:49AM (#393415)

    ISPs need to prevent obviously bad traffic from their network, or UDP needs an overhual.

    Neither looks likely to happen soon.

    How large are the replies you get for an NS query from cloudflare servers? I'm getting about 500+ bytes for a 70+byte NS query which is an amplification of 7-8x.

    I got 1514 bytes for a 70 byte query from this: dig +bufsize=65535 +notcp +ignore . ANY
    Which is an amplification of 20x.

    In theory DNSSEC replies can be significantly bigger since they can be over via multiple UDP packets: https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS#Issues [wikipedia.org]
    The fact that EDNS0 was actually approved shows how silly the DNS standards people are.

    To me it seems very unlikely that a small IP range or a single IP would want hundreds or thousands of DNS replies per second from your DNS server/resolver. Thus perhaps a more practical solution would be to keep the reply rates and bandwidth per IP range to a "sane" level. DNS queries are supposed to be cached for minutes so if you appear to be asking too many times either your connection is too crappy or you are a victim of a DoS attack in which case you don't want the replies.

    That way an attacker would probably use a different DNSSEC server for amplification. Or need to find and use 10000 different DNS servers like yours to send 10-100Mbps at a target.