[dns-operations] question for DNS being attacked

Paul Vixie paul at redbarn.org
Thu Jun 28 05:10:26 UTC 2012

On 2012-06-28 3:57 AM, pangj wrote:
>> at<http://www.redbarn.org/dns/ratelimits>  you will find one
>> experimental approach to doing this, if your name server is BIND9. note
>> that this feature is not supported by ISC at this time, but that the
>> authors of the experimental technology would welcome any comments, bug
>> reports, questions, or feedback on the topic.
> Thank you, yes I am running with BIND 9.7.

you would need to upgrade to BIND 9.8 or 9.9 to be able to use the DNS
RRL patches.

> Is the RRL based on the incoming source IP?


> since the source IPs are most probably spoofed, how will the patch
> make effect?

DNS RRL looks for unnatural similarities in a <ip-src, dns-response>
flow, and limits the rate accordingly. it will not stop a random-sourced
attack nor a widely-reflected attack, but it has been shown to stop
targetted attacks using a small number of reflectors.

there is a technical note at <http://www.redbarn.org/dns/ratelimits>
which describes the approach in detail.


More information about the dns-operations mailing list