[dns-operations] First experiments with DNS dampening to fight amplification attacks
bert.hubert at netherlabs.nl
Fri Sep 28 07:44:39 UTC 2012
On Fri, Sep 28, 2012 at 09:17:42AM +0200, Dan Luedtke wrote:
> When an IP address is blocked, we still answer to it, but only once.
> Regardless of what the query is, we answer:
> TXT "temporary_blocked <challenge_1> <challenge_2>"
Hmmm for authoritative servers, we might also emit a CNAME "challenge". This
would be a needless and semantically null transition, but only a bona fide
resolver will come back to follow the CNAME trail.
This allows us to test for two-way communications without using truncated
packets or TCP.
We could encode the encrypt the correct destination in the CNAME, for A and
AAAA this is trivial. If you come back to resolve
encoded-184.108.40.206.attackeddomain.com, you get 220.127.116.11 etc. For extra
resilience encrypt it.
I did not think this through too deeply, but what do people think?
More information about the dns-operations