RTT Banding Removal From BIND 9

In response to our customers and colleagues, ISC has chosen to remove the RTT Banding feature from BIND 9, starting with BIND 9.8.0. Other supported versions will have RTT Banding removed in their next releases.

BIND 9.8.0 is scheduled to go out on March 1st, 2011. 9.8.1 will follow around a month later.

Before Banding

Prior to implementing RTT Banding, BIND 9 used a simple method of measurement with decay to ensure that the best known server is used to resolve queries. If one server for a domain was 10 ms away and another was 80 ms, BIND 9 would use the 10 ms server most often, but still periodically try the one that was further away. This provides a good mix of performance and adaptability in changing network situations.

About RTT Banding

RTT Banding was a security tool intended to add a small amount of randomness to make spoofing harder. This feature is implemented in BIND 9.5.x, 9.6.x, and 9.7.x versions of BIND. RTT Banding is a recursive server feature.

RTT stands for “Round Trip Time” – the time it takes for a question to reach a remote DNS server, and for the answer to come back. Typical times are within a small number of milliseconds for servers close by, up to 10 ms for servers at exchange points or within the same local area, and around 60 to 80 ms for US east to west coast traffic.

RTT Banding relies on a domain having at least two name servers, and that those name servers fall within the same band. If a domain has two name servers both of which fall into the first 0 – 128 ms band, an attacker cannot know which server was used for resolution, thus making a spoofing attack two times harder. If a domain has four servers in the same band, an attack is four times harder.

Compared to other anti-spoofing prevention mechanisms, this two to four times increase is minor. Port randomization can make an attacker’s likelihood of success between 4,000 and 65,000 times lower alone.

Why Banding is Bad

A very common scenario is for a large content provider to spend some time optimizing their DNS service. They may choose to install authoritative servers closer to customers to make DNS resolution as fast as possible.

RTT Banding defeats the benefit of locating servers closer to customers as queries may go to remote servers as frequently as to those which are closer.

For example, if a content provider has two servers which BIND may choose from, one 10 ms away and another 80 ms away, which is typical for US coast-to-coast traffic, with banding the average latency for queries is 45 ms. Without banding it would be slightly higher than 10 ms.

The minor security improvement experienced by using RTT Banding, compared to its serious effect on performance, has persuaded ISC to remove this feature from BIND 9.

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Protected with IP Blacklist CloudIP Blacklist Cloud

What is 5 + 7 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)