What Vláďa said - implementing RRL (e.g. return empty answer with TC bit), requiring DNS COOKIE or perhaps at least just generating SERVFAIL would be much better option.
Giving back NXDOMAIN is … misunderstanding DNS at best. Ondrej -- Ondřej Surý (He/Him) > On 3. 4. 2025, at 15:57, Vladimír Čunát <[email protected]> wrote: > > > On 03/04/2025 15.18, Emmanuel Fusté wrote: >> - DNS should never completely stop responding to one IP, just as it should >> never arbitrary alter the value of an answer. > Ideally yes, but... here's a consideration: if you don't reply or make some > reply that looks like an error, the client is more likely to make more > retries than when you reply with something that looks like a plausible > answer. That's just for non-intentional DoS and perhaps indirect attacks > through some 3rd-party resolver, of course; direct intentional attackers > won't care. > > Still, I most likely wouldn't use NXDOMAIN in this case. > > Also note that over UDP the source IP is spoofable, so attackers can leverage > such anti-DoS mechanisms to better DoS other particular consumers of that > server. > > --Vladimir | knot-resolver.cz
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
