-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Op 25-02-13 16:38, John Kristoff schreef: > > To wit, suggestion #1 is to block query types you know you do not > have answers for. On the face, this may seem sensible and in some > dire, but probably limited scenarios maybe it even helps. To do > so typically requires some sort of DPI device in front of the DNS > server, a solution often not readily available. > > This suggestion also hurts a legitimate resolver.
Not only that, but it hurts their own network even more. They will receive more queries and more incoming traffic if they block certain queries in stead of answering with NXdomain. Earlier research (1) of resolver behavior has shown that a resolver will re-query up to 8 times before timing out, where an NXdomain answer will immediately shut it down and the answer is cached at the resolver. So they will have up to 8 times higher incoming traffic if they block in stead of answer. (1) https://www.dns-oarc.net/files/workshop-201103/BartGijsen-DNS-client-analysis.pdf - -- Antoin Verschuren Technical Policy Advisor SIDN Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 M: +31 6 23368970 Mailto: [email protected] XMPP: [email protected] HTTP://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJRLJYYAAoJEDqHrM883AgnOYsIAN01wbwc/HAKj549ktUkWPql 9bMzlbuSyiqIbe4gslnZkseDx1TFVyqVH9XHqzFCygF2DkA69H/Jl3qlJ4NOBJ8d DmiK8wkiL++lhcuvwgbxPvnj9mdkbC4gRo8+gm5t+/nXXQwKr+Akmlf2qZfJVpuj bI71LJ5m0y6SJ4076DBVNejbJdXR+nevY22wJBhAN/23V1ye7fPgt+DcqpwUtfxR FRnOmvN3eJy/JrWKKZJ3ig+0pdsjrm+Gh3/p1L6de8asiUgONlxvPgkjyOjn1byL cJq8yNG/wQDvHqdYovAFLxkzdXAYg84zCbBiWHFBbxpJtCXO5DZ/gOzCEuvS+E4= =z4MW -----END PGP SIGNATURE----- _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
