[dns-operations] DNS greylisting?

Gadi Evron ge at linuxbox.org
Tue Mar 7 21:35:35 UTC 2006

Florian Weimer wrote:
> * Paul Vixie:
>>if large numbers of nonmalicious queries are forced to use TCP, then a
>>malfeasant can deny service for those queries by attacking the TCP quota
>>and connection management logic in the nameserver.
> The idea is to use SYN cookies to whitelist "good" addresses, without
> keeping too much state servers-side.  You can use CNAME RRs to
> implement pure UDP-based cookies, by the way.  (Riverhead applied for
> a patent on such techniques, IIRC.)

Is SPF for DNS next?

Yes.. yes.. DNS SEC, I know. Hmm. Somewhere.

More information about the dns-operations mailing list