[dns-operations] "NS .", the attack of the month?
Mark_Andrews at isc.org
Sun Jan 25 01:38:44 UTC 2009
In message <Pine.NEB.4.64.0901241846360.26223 at tx.reedmedia.net>, "Jeremy C. Ree
> On Sun, 25 Jan 2009, Stefan Schmidt wrote:
> > > extract " Then, a query such as ". IN NS" should result in a REFUSED
> > > response."
> > Answering with REFUSED or SERVFAIL is still better than not answering at
> > all which, if deployed in large scale, would would most likely cause all
> > recursive servers to cripple under the load of outstanding queries to
> > authoritative servers.
> What outstanding queries? Answer to who?
There are plenty of misconfigurations for which REFUSED
will be handled by the the interative resolvers as "don't
re-try this query". Not replying to the query will cause
the interative resolvers to re-try as it will be treated
as packet loss.
Do we code for the abuse case or for the misconfiguration
case? We can't do both. The current choice is to code for
the misconfiguration case but not to amplify in the abuse
case. Yes this is a compromise.
> > I wonder which alternatives you are seeing to sending back an answer?
> I have been manually adding hosts to a blackhole ACL.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations