[dns-operations] DNS greylisting?

Florian Weimer fw at deneb.enyo.de
Tue Mar 7 19:21:33 UTC 2006


* Paul Vixie:

> if large numbers of nonmalicious queries are forced to use TCP, then a
> malfeasant can deny service for those queries by attacking the TCP quota
> and connection management logic in the nameserver.

The idea is to use SYN cookies to whitelist "good" addresses, without
keeping too much state servers-side.  You can use CNAME RRs to
implement pure UDP-based cookies, by the way.  (Riverhead applied for
a patent on such techniques, IIRC.)



More information about the dns-operations mailing list