[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Rick Jones rick.jones2 at hp.com
Fri Jun 24 21:49:01 UTC 2011

On 06/24/2011 10:43 AM, David Conrad wrote:
> On Jun 24, 2011, at 7:37 AM, Rick Jones wrote:
>> OK, perhaps my (ab)using "de jure" was setting myself up for
>> that... The question was do the RFCs covering DNS require caching
>> of responses?
> Others more familiar with the letter of the RFCs can probably answer
> better than I, but I'd have to ask: does it matter?  We're talking
> operations here...
> Operationally, do you think an authoritative server should respond to
> (say) 100 qps of the same query from the same source (assuming a
> reasonable TTL on the response)?

That depends on how reasonable/legitimate it is felt to toss the baby of 
a non-caching resolver talking to an authoritative server out with the 
bathwater of an attack.

Nothing says that an application must not do something like "One 
connection per transaction" nor requires it to keep the result of the 
lookup of the transaction server's name, so if there isn't a caching 
resolver between said application and the authoritative server that 
would be a high rate of queries that was not an actual attack.

So, asking a "what is the upper bound on queries per second per client" 
is asking "what is the upper bound on transaction rate" which is a 
rather open-ended question.

(Hopefully I've not botched terminology in there)


More information about the dns-operations mailing list