On 10 Jan 2013, at 17:39, Matthew Ghali <[email protected]> wrote: > So if I understand correctly, the solution you are advocating is to only > answer non-spoofed queries?
It's one of them, yes. Though since it's hard for a DNS server to distinguish between spoofed and genuine source IP addresses, the RRL patch is the easiest way to get the same effect. Your server would then respond to a teeny fraction of the thousands of queries per second from the same (forged) IP address(es). Further measures will be necessary, especially if/when the characteristics of the current attacks change to make them less amenable to RRL dampening. Sadly, there is no magic bullet which will solve this problem. A bunch of countermeasures and defences are needed, some of which will be outside the realm of network operations or the DNS protocol. This should not be news to anyone here. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
