[dns-operations] CloudShield advices against dDoS
antoin.verschuren at sidn.nl
Tue Feb 26 11:01:44 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Op 25-02-13 16:38, John Kristoff schreef:
> To wit, suggestion #1 is to block query types you know you do not
> have answers for. On the face, this may seem sensible and in some
> dire, but probably limited scenarios maybe it even helps. To do
> so typically requires some sort of DPI device in front of the DNS
> server, a solution often not readily available.
> This suggestion also hurts a legitimate resolver.
Not only that, but it hurts their own network even more.
They will receive more queries and more incoming traffic if they block
certain queries in stead of answering with NXdomain.
Earlier research (1) of resolver behavior has shown that a resolver
will re-query up to 8 times before timing out, where an NXdomain
answer will immediately shut it down and the answer is cached at the
resolver. So they will have up to 8 times higher incoming traffic if
they block in stead of answer.
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 M: +31 6 23368970
Mailto: antoin.verschuren at sidn.nl
XMPP: antoin.verschuren at jabber.sidn.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the dns-operations