On Fri, Sep 28, 2012 at 09:17:42AM +0200, Dan Luedtke wrote:
> When an IP address is blocked, we still answer to it, but only once[1].
> Regardless of what the query is, we answer:
>
> TXT "temporary_blocked <challenge_1> <challenge_2>"
Hmmm for authoritative servers, we might also emit a CNAME "challenge". This
would be a needless and semantically null transition, but only a bona fide
resolver will come back to follow the CNAME trail.
This allows us to test for two-way communications without using truncated
packets or TCP.
We could encode the encrypt the correct destination in the CNAME, for A and
AAAA this is trivial. If you come back to resolve
encoded-12.32.43.43.attackeddomain.com, you get 12.32.43.43 etc. For extra
resilience encrypt it.
I did not think this through too deeply, but what do people think?
Bert
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
