[dns-operations] question for DNS being attacked

Michael Graff mgraff at isc.org
Thu Jun 28 05:30:17 UTC 2012

On Jun 28, 2012, at 12:10 AM, Paul Vixie wrote:
> DNS RRL looks for unnatural similarities in a <ip-src, dns-response>
> flow, and limits the rate accordingly. it will not stop a random-sourced
> attack nor a widely-reflected attack, but it has been shown to stop
> targetted attacks using a small number of reflectors.
> there is a technical note at <http://www.redbarn.org/dns/ratelimits>
> which describes the approach in detail.

The RLL tech may not be supported by ISC, but the URL http://ss.vix.com/~vixie/isc-tn-2012-1.txt says it is copyright by ISC.

I still fear this sort of rate limiting (or possibly any major rate limiting that isn't fair-share outgoing bandwidth limiting) can cause other issues, including some security issues.  It may solve the distributed flood using DNS as an amplification, but until I see a write up on exactly how it performs with more than just a description, and a few people outside of the two developers analyze that methodology, I would not use this system in production.

Even with the slip values, I still feel this can open a wider window for other forms of attacks against a DNS zone.


More information about the dns-operations mailing list