1. DNS/キャッシュサーバ/OpenDNS
The ANSSI recommends all DNS resolver software vendors to implement a bounding check on the amount of queries/work that can be generated in order to resolve a single domain name. OpenDNS, to whom the ANSSI asked for an operational feedback on these recommendations, confirmed they have already deployed similar mitigation strategies without impacting normal operations.
http://www.ssi.gouv.fr/IMG/pdf/idns_attack_anssi.pdf
NSレコードのTTLに注目してください。
Aレコードqueryの返事のあと、TTLが増えているでしょう。-- ToshinoriMaeno 2011-08-13 12:18:47
tmaeno@:~$ DNSCACHEIP=208.67.222.222 dnsqr ns zac.qmail.jp 2 zac.qmail.jp: 49 bytes, 1+1+0+0 records, response, noerror query: 2 zac.qmail.jp answer: zac.qmail.jp 300 NS a.ns.zac.qmail.jp tmaeno@:~$ DNSCACHEIP=208.67.222.222 dnsqr ns zac.qmail.jp 2 zac.qmail.jp: 49 bytes, 1+1+0+0 records, response, noerror query: 2 zac.qmail.jp answer: zac.qmail.jp 286 NS a.ns.zac.qmail.jp tmaeno@:~$ DNSCACHEIP=208.67.222.222 dnsqr a zac.qmail.jp 1 zac.qmail.jp: 46 bytes, 1+1+0+0 records, response, noerror query: 1 zac.qmail.jp answer: zac.qmail.jp 120 A 59.106.175.222 tmaeno@:~$ DNSCACHEIP=208.67.222.222 dnsqr ns zac.qmail.jp 2 zac.qmail.jp: 49 bytes, 1+1+0+0 records, response, noerror query: 2 zac.qmail.jp answer: zac.qmail.jp 294 NS a.ns.zac.qmail.jp tmaeno@:~$ DNSCACHEIP=208.67.222.222 dnsqr a a.ns.zac.qmail.jp 1 a.ns.zac.qmail.jp: 51 bytes, 1+1+0+0 records, response, noerror query: 1 a.ns.zac.qmail.jp answer: a.ns.zac.qmail.jp 271 A 59.106.175.222 tmaeno@:~$ DNSCACHEIP=208.67.222.222 dnsqr a www.zac.qmail.jp 1 www.zac.qmail.jp: 50 bytes, 1+1+0+0 records, response, noerror query: 1 www.zac.qmail.jp answer: www.zac.qmail.jp 120 A 59.106.175.222 tmaeno@:~$ DNSCACHEIP=208.67.222.222 dnsqr ns zac.qmail.jp 2 zac.qmail.jp: 49 bytes, 1+1+0+0 records, response, noerror query: 2 zac.qmail.jp answer: zac.qmail.jp 292 NS a.ns.zac.qmail.jp tmaeno@:~$