[dns-operations] DNS greylisting?
fw at deneb.enyo.de
Tue Mar 7 19:21:33 UTC 2006
* Paul Vixie:
> if large numbers of nonmalicious queries are forced to use TCP, then a
> malfeasant can deny service for those queries by attacking the TCP quota
> and connection management logic in the nameserver.
The idea is to use SYN cookies to whitelist "good" addresses, without
keeping too much state servers-side. You can use CNAME RRs to
implement pure UDP-based cookies, by the way. (Riverhead applied for
a patent on such techniques, IIRC.)
More information about the dns-operations