[dns-operations] CloudShield advices against dDoS

Antoin Verschuren antoin.verschuren at sidn.nl
Tue Feb 26 11:01:44 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Op 25-02-13 16:38, John Kristoff schreef:
> 
> To wit, suggestion #1 is to block query types you know you do not
> have answers for.  On the face, this may seem sensible and in some 
> dire, but probably limited scenarios maybe it even helps.  To do
> so typically requires some sort of DPI device in front of the DNS
> server, a solution often not readily available.
> 
> This suggestion also hurts a legitimate resolver.

Not only that, but it hurts their own network even more.
They will receive more queries and more incoming traffic if they block
certain queries in stead of answering with NXdomain.
Earlier research (1) of resolver behavior has shown that a resolver
will re-query up to 8 times before timing out, where an NXdomain
answer will immediately shut it down and the answer is cached at the
resolver. So they will have up to 8 times higher incoming traffic if
they block in stead of answer.

(1)
https://www.dns-oarc.net/files/workshop-201103/BartGijsen-DNS-client-analysis.pdf
- -- 
Antoin Verschuren

Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands

P: +31 26 3525500  M: +31 6 23368970
Mailto: antoin.verschuren at sidn.nl
XMPP: antoin.verschuren at jabber.sidn.nl
HTTP://www.sidn.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJRLJYYAAoJEDqHrM883AgnOYsIAN01wbwc/HAKj549ktUkWPql
9bMzlbuSyiqIbe4gslnZkseDx1TFVyqVH9XHqzFCygF2DkA69H/Jl3qlJ4NOBJ8d
DmiK8wkiL++lhcuvwgbxPvnj9mdkbC4gRo8+gm5t+/nXXQwKr+Akmlf2qZfJVpuj
bI71LJ5m0y6SJ4076DBVNejbJdXR+nevY22wJBhAN/23V1ye7fPgt+DcqpwUtfxR
FRnOmvN3eJy/JrWKKZJ3ig+0pdsjrm+Gh3/p1L6de8asiUgONlxvPgkjyOjn1byL
cJq8yNG/wQDvHqdYovAFLxkzdXAYg84zCbBiWHFBbxpJtCXO5DZ/gOzCEuvS+E4=
=z4MW
-----END PGP SIGNATURE-----



More information about the dns-operations mailing list