[dns-operations] First experiments with DNS dampening to fight amplification attacks
John Kristoff
jtk at cymru.com
Mon Oct 1 16:00:49 UTC 2012
On Fri, 28 Sep 2012 09:44:39 +0200
bert hubert <bert.hubert at netherlabs.nl> wrote:
> This allows us to test for two-way communications without using
> truncated packets or TCP.
>
> We could encode the encrypt the correct destination in the CNAME, for
> A and AAAA this is trivial. If you come back to resolve
> encoded-12.32.43.43.attackeddomain.com, you get 12.32.43.43 etc. For
> extra resilience encrypt it.
>
> I did not think this through too deeply, but what do people think?
Why would this, or other similar proposals, be more preferable than
just sending back truncated packets to signal for TCP?
This latter approach has been widely used in network gear over the
years with a fair amount of success, and now thanks to Paul and Vern's
work, seems to be a promising feature in the application itself.
John
More information about the dns-operations
mailing list