Re: RRL outcome on legitimate traffic...

Tue, 01 Dec 2020 06:25:41 -0800

You need to look at the reply named sends when it trips and starts limiting UDP traffic source from a given IP address.  It tells the requestor to try again using TCP instead of UDP.
So if the requestor is a legit dns server, it will retry using TCP and still get a valid answer. 

Named does not blindly just drop traffic.

Lyle Giese

LCR Computer Services, Inc.

On 12/1/20 4:58 AM, Karl Pielorz wrote:


Hi all,


So there's been quite a thread - that originally started as "Bind 
stats - denied queries" - and morphed into a whole discussion on 
spoofed UDP, logging, RRL etc.



In my original post - I never said the original traffic was likely 
legitimate in anyway (just so we're clear - I didn't start that aspect 
of that thread).



So,


Obviously RRL is pretty much all you can do with this stuff - 
presumably, if someone throws a lot of queries that 'trip' the RRL - 
but, say spoofed from another ISP's actual DNS servers/network - the 
idea is that those IP's legitimate UDP queries will start getting 
dropped :( - but the other ISP's DNS will then, hopefully switch from 
UDP to TCP to get an answer?




Looking at the distribution of rubbish we're seeing - I'm suspecting 
some of the limits would have to be 'really low' to catch some of this 
stuff (i.e. some times we just see 5 queries from an IP, and then 
nothing for hours - even from within the same /24).



Obviously the server can weather a quite a bit of this, and you can't 
"block everything" (which is - in a circle, why I was asking 
originally about getting stats for it :)


Regards,

-Karl
_______________________________________________

Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list



ISC funds the development of this software with paid support 
subscriptions. Contact us at https://www.isc.org/contact/ for more 
information.



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to