[dns-operations] DNS ANY record queries - Reflection Attacks

Paul Vixie paul at redbarn.org
Tue Sep 11 05:40:38 UTC 2012

On 2012-09-11 5:36 AM, Mohamed Lrhazi wrote:
> Nope. I have not, and am not using BIND unfortunately. But I guess you
> are saying: Limit responses to any client to some number per some time
> window.
> What would be an appropriate number, per what time window, to be
> effective and lesser the chances of false positives?

the defaults are round numbers (10 similar responses per second per v4
/24 or v6 /56, keep history for five seconds) and are shockingly
effective. Important Note: it's not responses per client, but rather,
responses per client network per response type, that must be limited.
you can't do the right thing in a firewall or other in-path device, you
get too many false negatives and false positives that way. the proposed
response is how you bucketize safely.

i'll be happy to describe DNS RRL to your non-BIND implementor if they
want to know more about it. it's totally open, both the concept and the
implementation in C for BIND are BSD-licensed.


More information about the dns-operations mailing list