DNS/security/Googleについて、ここに記述してください。

https://developers.google.com/speed/public-dns/docs/security

Introduction: DNS security threats and mitigations

Cache poisoning attacks

DoS and amplification attacks

Mitigations

n Google Public DNS, we have implemented, and we recommend, the following approaches:

    Securing your code against buffer overflows, particularly the code responsible for parsing and serializing DNS messages.

    Overprovisioning machine resources to protect against direct DoS attacks on the resolvers themselves. Since IP addresses are trivial for attackers to forge, it's impossible to block queries based on IP address or subnet; the only effective way to handle such attacks is to simply absorb the load.

/validity-checking

    Implementing basic validity-checking of response packets and of name server credibility, to protect against simple cache poisoning. These are standard mechanisms and sanity checks that any standards-compliant caching resolver should perform.

https://developers.google.com/speed/public-dns/docs/security#validity_check

/entropy

    Adding entropy to request messages, to reduce the probability of more sophisticated spoofing/cache poisoning attacks such as Kaminsky attacks. There are many recommended techniques for adding entropy, including randomizing source ports; randomizing the choice of name servers (destination IP addresses); randomizing case in name requests; and appending nonce prefixes to name requests. Below, we give an overview of the benefits, limitations, and challenges of each of these techniques, and discuss how we implemented them in Google Public DNS.

https://developers.google.com/speed/public-dns/docs/security#add_entropy

    Removing duplicate queries, to combat the probability of "birthday attacks".

    Rate-limiting requests, to prevent DoS and amplification attacks.

    Monitoring the service for the client IPs using the most bandwidth and experiencing the highest response-to-request size ratio.

MoinQ: DNS/security/Google (last edited 2020-10-10 22:23:44 by ToshinoriMaeno)