[dns-operations] responding to spoofed ANY queries
Jim Reid
jim at rfc1035.com
Thu Jan 10 15:23:48 UTC 2013
On 10 Jan 2013, at 15:00, Paul Wouters <paul at cypherpunks.ca> wrote:
> On Thu, 10 Jan 2013, Jim Reid wrote:
>
>> IMO, responding to these spoofed queries is a Bad Idea.
>
> Not responding is worse.
>
> - valid recursors will just retry
>
> - valid recursors might conclude the auth server is slow/bad/unreachable and avoid it for legitimate queries as well.
I agree: provided we're talking about responding to queries from valid recursors. However we're not. The context is spoofed queries. [See above.] Responding to these is bad because (a) it chews your bandwidth and CPU; (b) the replies don't go to the actual source that generated the queries; (c) the destination of those responses doesn't want or need that inbound traffic. This is why we agree RRL helps to reduce the damage from spoofed ANY flood attacks.
More information about the dns-operations
mailing list