| Internet-Draft | EFAS | February 2025 |
| Pan | Expires 27 August 2025 | [Page] |
This document describes about an authenticated subdomain whitelist (ASDWL) scheme to mitigate the random subdomain attacks on second-level domain (SLD).¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 27 August 2025.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The DNS random subdomain attack, also referred to as DNS water torture attack or pseudo-random subdomain attack, represents a form of DDoS attack specifically targeting DNS services. The attacker orchestrates huge amounts of bots to send queries to recursive resolvers. These queries are random subdomains under the victim domains, which are not currently cached in recursive resolvers. Consequently, the recursive resolvers must forward these queries to the authoritative servers responsible for the victim domains. This process places a significant burden on both the recursive resolvers and the authoritative servers, potentially leading to service degradation or outright failure.¶
We describe an authenticated subdomain whitelist (ASDWL) scheme to mitigate DNS random subdomain attacks on second-level domains.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
Basic terms used in this specification are defined in the documents [RFC1034], [RFC1035], [RFC8499].¶
The administor of SLD should generate a private key priv_wl used to sign the ASDWL, and issue an end-entity X.509 certificate Cert_wl for the corresponding public key pub_wl used to verify the ASDWL signature.¶
ASDWL followes the flattened JWS JSON serialization syntax, contains 3 parts: payload, header, and signature.¶
payload: Contains the whitelist subdomains information configured by the domain administrator of SLD.¶
header: Contains the parameters for the ASDWL signature, followed the definition of JSON web signature and encryption header parameters in [RFC7515].¶
alg: Contains the signature algorithm. In this example, ES256 means the ECDSA digital signature on Elliptic Curve NIST P-256 with SHA-256 message digest, followed the definition in [RFC7515].¶
x5c: Contains the X.509 certificate Cert_wl corresponding to the key priv_wl used to sign the ASDWL payload.¶
signature: Contains the signature of the payload, which is signed by priv_wl, and verified by Cert_wl.¶
{
'payload': {
'dom': 'example.com',
'date': '2023-12-25',
'subdoms': [
'abc'
],
'wildcard subdoms': [
'xxx'
]
},
'header': {
'alg' : 'ES256',
'x5c' : ....,
},
'signature': ...
}
¶
The administor of SLD should define a well-known subdomain '_asdwl.example.com' for the SLD 'example.com' to publish its ASDWL url address (marked as Url_wl).¶
And configure a DANE TLSA RR and a TXT RR for it.¶
TLSA RR: The TLSA RR indicates the digest of the public key of the ASDWL certificate Cert_wl.¶
TXT RR: The TXT RR indicates the ASDWL url address Url_wl of ASDWL. In this example, the url is 'https://_asdwl.example.com/asdwl.json'.¶
_443._tcp._asdwl.example.com. 3600 IN TLSA ( 3 1 1
d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971 )
_asdwl.example.com. 3600 IN TXT
'url=https://_asdwl.example.com/asdwl.json'
¶
When the authoritative server of SLD detects the random subdomain attack, it can attach the TLSA and TXT records of the well-known subdomain '_asdwl.example.com' to the DNS answer section. And then the recursive resolver can get ASDWL of the SLD 'example.com' with the following steps:¶
Recursive resolver could mitigate random subdomain attacks with ASDWL:¶
Recursive resolver loads ASDWL payload of SLD ‘example.com’ into the DDoS whitelist module.¶
Recursive resolver makes the mitigation on random subdomain attacks:¶
Recursive resolver allows all the legitimate queries of the whitelist subdomains (subdoms) from clients, and sends the queries to the authoritative server.¶
Recursive resolver allows all the legitimate queries of the whitelist wildcard subdomains (wildcard subdoms) from clients, only sends one query to ASsld for each wildcard subdomain zone, and store one response for all queries in each wildcard subdomain zone.¶
Recursive resolver makes rate limiting responses on other subdomains queries when it could afford. Recursive resolver drops the queries of other subdomains when the traffic is overwhelmed.¶
Through ASDWL, the authoritative server of SLD can give an explict subdomain list which recursive resolver should make best effort to serve. The recursive resolver to gain the subdomain whitelist directly from the authoritative server of SLD from the Url_wl of ASDWL.¶
It is compatible with DNSSEC, heuristic rule defense systems, and machine learning random subdomain defense systems [HeavyHitter] [DetectWaterTorture].¶
If DNSSEC [RFC9364] has been deployed on the SLD 'example.com', then the recursive resolver could make DNSSEC validation on the RRSIGs of TLSA/TXT RRs.¶