[dns-operations] First experiments with DNS dampening to fight amplification attacks

Jim Reid jim at rfc1035.com
Mon Oct 1 08:38:16 UTC 2012


On 1 Oct 2012, at 08:33, Paul Vixie wrote:

> i'm ready to accept that rate limiting (as specified by DNS RRL) hurts
> non-spoofing clients who ask "similar enough" questions during the
> attack. but so far this has not been demonstrated or even described. a
> real recursive-service initiator may be forced to retry by UDP or even
> by TCP.

+1. Besides, a genuine resolver will also have a non rate-limiting  
server to query unless all the name servers for some domain are under  
attack.




More information about the dns-operations mailing list