[dns-operations] "NS .", the attack of the month?

Stefan Schmidt stefan.schmidt at freenet.ag
Sun Jan 25 00:17:49 UTC 2009

On Sun, Jan 25, 2009 at 09:11:43AM +1000, Noel Butler wrote:
> No, that advice is outright wrong! Contributing to the DDoS, (although
> we should have all be doing it anyway in general) because you are
> sending the REFUSED pkt back to the victim, so they are essentially
> telling you how to participate in the DDoS.
> extract " Then, a query such as ". IN NS" should result in a REFUSED
> response."

Answering with REFUSED or SERVFAIL is still better than not answering at
all which, if deployed in large scale, would would most likely cause all
recursive servers to cripple under the load of outstanding queries to
authoritative servers.
I wonder which alternatives you are seeing to sending back an answer?

DPRINTK("strange things happen ...\n");

More information about the dns-operations mailing list