9-10 May 2015
Okura Hotel
Europe/Amsterdam timezone
Home > Timetable > Contribution details


Okura Hotel - Heian I/II
Public Workshop

A countermeasure of random subdomain attacks (Aggressive negative caching with NSEC)


  • Mr. Kazunori FUJIWARA

Primary authors

Abstract content

Random sub-domain attacks (also called as "Water Torture" attacks) send many non-existent queries to full resolvers. Negative cache does not work well because query names vary. However, NSEC resource records contain non-existent name ranges. Aggressive negative caching using NSEC resource records may be a countermeasure of random sub-domain attacks for signed domains. The presentation will explain a proposal of a protocol change, attack tool, a patch to Unbound, and an experiment result. It also decrease non-existent TLD queries to root DNS servers. (about 20 minutes without questions)