[dns-operations] DNS greylisting?
Gadi Evron
ge at linuxbox.org
Tue Mar 7 21:35:35 UTC 2006
Florian Weimer wrote:
> * Paul Vixie:
>
>
>>if large numbers of nonmalicious queries are forced to use TCP, then a
>>malfeasant can deny service for those queries by attacking the TCP quota
>>and connection management logic in the nameserver.
>
>
> The idea is to use SYN cookies to whitelist "good" addresses, without
> keeping too much state servers-side. You can use CNAME RRs to
> implement pure UDP-based cookies, by the way. (Riverhead applied for
> a patent on such techniques, IIRC.)
Is SPF for DNS next?
Yes.. yes.. DNS SEC, I know. Hmm. Somewhere.
More information about the dns-operations
mailing list