What's the importance of v6 AAAA lookups in this scenario? If you're not
allowing recursion to the public, the name server can answer a v6 AAAA
query (for the zones it serves) as efficiently as any v4 A query, no?
Do you need publicly available recursion (why?), or what's special about
v6 AAAA that makes it more of a DoS than plain v4 queries?
Daniel
It's not needed. They don't run v6 name service. Perhaps i should have made that clear. The issue is how to filter out a barrage of v4 DNS lookups for v6 AAAA host records.
Wether you run a v6 name service or not is not really relevant in this scenario. The issue at hand is how do you filter this DoS of packets flooding in? You can't filter out all udp 53. You cant filter based on payload. The result in the end is no different then a v4 DNS DoS. The interesting part to me was the request for v6 host records using a v4 packet. Hence i was curious if anyone had any idea's on this. It's merely an exercise for the reader at this point since all I can recommend to him is he get the help of his upstream.
With this unique request its at least *possible* to filter out packets based on payload. Nuke v6 packets on udp/53 since you don't run a v6 name service. If it was just straight v4 A record storms you would just be totally screwed. Sure you could rate limit etc.. but you would still be over run. I was just curious if anyone had any ideas on this subject. Theoretical or practical.
Chris Watson What really happens in iraq: http://riverbendblog.blogspot.com/
smime.p7s
Description: S/MIME cryptographic signature
