[dns-operations] question for DNS being attacked

Paul Vixie paul at redbarn.org
Fri Jun 29 06:10:12 UTC 2012

On 2012-06-29 1:22 AM, Michael Hoskins (michoski) wrote:
> ...
> for those avoiding RRL until further testing and/or not able to get
> upstream cooperation, other forms of rate limiting might be the only
> option left...  for that i would generally look to a network device or
> firewall rules on the name servers themselves.

i recommend against rate limits that only look at ip source addresses.
FP rate is too high.

> since dummynet has proven to exhibit high FP rate on at least one root
> server, some sort of sensible limit on ephemeral connections seems it
> could work with enough experimentation.  unfortunately the exact mechanism
> and thresholds would take time to work out, and won't help the OP now.

root servers are a special case since their answers are always referrals
or nxdomain's, other than ". IN SOA". dummynet is not "proven" to
exhibit high FP on any root name server. one must use very large flow
limits, large enough that spoofed-source attacks still hurt the victims,
but not so large that they hurt the servers.

the "ephemeral connections" are not the problem.

> i'm watching RRL with interest.  as mentioned in the tech note, it's not
> really needed on internal servers where preexisting / better understood
> methods can keep clients under control.  externally i don't really need it
> with the current infrastructure i manage, but it couldn't hurt.

nothing in the world "couldn't hurt"; please don't apply that standard
here. some day this kind of rate limiting or some smarter kind will have
to be the default for all wide area udp services. nobody has yet turned
it off as a result of problems or when there were no other attacks; but
it's a code and behaviour change and should be undertaken only seriously
especially in these early days.


More information about the dns-operations mailing list