NSEC Caching Limits Excessive Queries to DNS Root

APNIC has generously offered to sponsor addition of aggressive negative caching, or NSEC Aggressive Use in BIND 9.12.0. They have explained the reasons for supporting this in an APNIC blog posting.

Earlier research by Geoff Huston, Researcher at APNIC, into the volume of root zone queries had identified that the majority of queries to the root zone were for non-existent domains (NXDOMAIN responses). These queries are unnecessary because a busy resolver already has enough prior negative responses to interpolate these additional negative responses. For example, if the resolver already has a definitive prior response in cache that no zones exist between “.abba” and “.acme”, then it is unnecessary to query for “.abcd”.

The benefits of aggressive negative caching are:

  1. Faster responses to end-users. When a resolver queries the root for information, an end-user is waiting longer than necessary if the resolver could answer the question without making another query.
  2. Fewer queries to the DNS root, relieving the root servers of added load as Internet use grows.
  3. Finally, this technique provides some protection against a type of denial-of-service attack in which a resolver is pounded with a large number of requests for randomly-generated (non-existent) subdomains, requiring the resolver to make many useless queries.

BIND 9.12.0 will synthesize negative answers from cached NXDOMAIN, NODATA, and wildcard responses supplied with NSEC records. The 9.12.0 alpha release is available now, supporting synthesis from NXDOMAIN responses only. The 9.12.0 beta release will add support for synthesizing replies based on NODATA and wildcard responses.

Recent Posts

What's New from ISC

Encrypted DNS: Why all the drama about DOH?

Two years ago, interest in DNS Encryption was lukewarm… In May of 2018, ISC did a survey asking our users about their interest in deploying various DNS privacy measures, including both QNAME minimization and encryption (DNS over HTTP or DoH and DNS over TLS or DoT).

Read post
Previous post: BIND 9.12.0 Alpha