[dns-operations] etc (was Re: Restrict ANY query to TCP ?)
Paul Vixie
paul at redbarn.org
Mon Jun 11 21:00:37 UTC 2012
On 2012-06-11 5:46 PM, Olafur Gudmundsson wrote:
> Paul,
> how about much simpler configuration option to force all
> any queries to be reissued over TCP,
> restrict-any-udp "yes/no";
i think somebody has patented that. while i'm not a lawyer i don't think
the RRL patch set runs afoul of that patent, since our innovation is the
slip rate.
> And have Bind reply with TC=1 and empty answer section on ANY UDP
> queries.
> This is simple, no state needed, no firewall rules, and gets rid of
> spoofed addresses.
>
> Olafur
if an attacker is spoof-querying a victim's client-ip and the packet
rate is high enough to warrant rate limiting, then the packet headers
(ip, udp, dns, query) are heavy enough to damage the victim. so, even
without amplification, there is still a major problem with reflection.
the normal udp retry rate for healthy non-spoofed query traffic is
perfect for us. the slip rate method in RRL has a good chance of
answering the few real query-tries while ignoring the rest.
thanks for your questions; more are welcome.
and it's time to broaden the testing. i'm about to announce RRL; i will
use a new thread to do it in.
paul
More information about the dns-operations
mailing list