[dns-operations] "NS .", the attack of the month?

Mark Andrews Mark_Andrews at isc.org
Sun Jan 25 01:38:44 UTC 2009

In message <Pine.NEB.4.64.0901241846360.26223 at tx.reedmedia.net>, "Jeremy C. Ree
d" writes:
> On Sun, 25 Jan 2009, Stefan Schmidt wrote:
> > > extract " Then, a query such as ". IN NS" should result in a REFUSED
> > > response."
> > 
> > Answering with REFUSED or SERVFAIL is still better than not answering at
> > all which, if deployed in large scale, would would most likely cause all
> > recursive servers to cripple under the load of outstanding queries to
> > authoritative servers.
> What outstanding queries? Answer to who?

	There are plenty of misconfigurations for which REFUSED
	will be handled by the the interative resolvers as "don't
	re-try this query".  Not replying to the query will cause
	the interative resolvers to re-try as it will be treated
	as packet loss.

	Do we code for the abuse case or for the misconfiguration
	case?  We can't do both.  The current choice is to code for
	the misconfiguration case but not to amplify in the abuse
	case.  Yes this is a compromise.
> > I wonder which alternatives you are seeing to sending back an answer?
> I have been manually adding hosts to a blackhole ACL.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list