NSEC Caching limits excessive queries to DNS root

APNIC has generously offered to sponsor addition of aggressive negative caching, or NSEC Aggressive Use in BIND 9.12.0.  They have explained the reasons for supporting this in an APNIC blog posting.

Earlier research by Geoff Huston, Researcher at APNIC, into the volume of root zone queries had identified that the majority of queries to the root zone were for non-existant domains (NXDOMAIN responses). These are queries are unnecessary, because a busy resolver already has enough prior negative responses to interpolate these additional negative responses.  For example, if the resolver already has a definitive prior response in cache that no zones exist between “.abba” and “.acme”, then it is unnecessary to query for “.abcd”.

The benefits of aggressive negative caching are:

  1. Faster responses to end users. When a resolver queries the root for information, an end user is waiting longer than necessary if the resolver could answer the question without making another query.
  2. Fewer queries to the DNS root, relieving the root servers of added load as Internet use grows.
  3. Finally, this technique provides some protection against a type of denial of service attack in which a resolver is pounded with a large number of requests for randomly-generated (non-existant) subdomains, requiring the resolver to make many useless queries.

BIND 9.12.0 will synthesize negative answers from cached NXDOMAIN, NODATA and wildcard responses supplied with NSEC records. The 9.12.0 alpha release is available now, supporting synthesis from NXDOMAIN responses only. The 9.12.0 beta release will add support for synthesizing replies based on NODATA and wildcard responses.

Last modified: September 29, 2017 at 10:55 am