On Thu, 10 Jan 2013, Jim Reid wrote:
IMO, responding to these spoofed queries is a Bad Idea.
Not responding is worse. - valid recursors will just retry - valid recursors might conclude the auth server is slow/bad/unreachable and avoid it for legitimate queries as well.
The BIND RRL patch -- just reply to one in a thousand (say) of the bogus queries -- is perhaps the best defence. Though it's not the only one.
It's a _much_ better defense.
It would be nice if ANY queries just got thrown away.
No it would not be. Just like a totally mangled packet still gets an answer. You want legitimate resolvers to stop retrying their bogus stuff. Additionally, once ANY queries would be dropped, attackers would move to requesting NSEC3 answers or CNAME/DNAME chains. Paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
