“Fast flux” refers to the practice of hosting malicious services on a large number of compromised computers, while using highly dynamic DNS resource records to direct traffic between those “bot net drones”.
In order to combat “fast flux”, the new Internet Draft document “Double Flux Defense in the DNS Protocol”, by John Bambenek of the University of Illinois, proposes material changes to the DNS.
- Domain registrars should allow NS record updates only once every 72 hours, plus one rollback every 72 hours.
- DNS software should impose the following restrictions on the TTL values of NS records, as well as on those of A records pointed to by an NS record:
- Authoritative DNS servers should not serve TTL values of less than 24 hours, but replace any such values with a 72-hour TTL.
- Non-authoritative DNS servers, as well as DNS clients, should entirely discard any such records with a TTL of less than 12 hours. In such a case, no information should be returned to the requesting client or application.
These changes would be quite significant in terms of combating “fast flux” hosting. Unfortunately I also assume that preventing delegation changes, not to mention discarding DNS responses, would also bring many negative results.—What do you think? Please post your comments!
Post a Comment