Hi Remi! Thanks for the details.
> > Blocking all queries to the attacked domain prevents collateral > damage, but causes a DoS to the attacked domain and makes the customer > of the attacked domain unhappy. > > I fully agree, and we are working on having smarter mitigations in > dnsdist to only drops/truncate/route to a different pool queries that > are very likely to be part of a PRSD/enumeration attack. Do you already have ideas how to implement that? I have thought a lot about an algorithm to block only "bad" queries bad have not found a method yet. For authoritative nameservers, meanwhile I think it would be better to just load the attacked zone completely into dnsdist or pdns-cache (or something similar to aggressive caching). Because I think just answering (mostly NXDOMAIN) may be faster then deciding if a query is bad or good. Regards Klaus _______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
