[dns-operations] responding to spoofed ANY queries

Matthew Ghali mghali at snark.net
Thu Jan 10 17:39:37 UTC 2013


So if I understand correctly, the solution you are advocating is to only answer non-spoofed queries?


On Jan 10, 2013, at 7:23 AM, Jim Reid <jim at rfc1035.com> wrote:

> I agree: provided we're talking about responding to queries from valid recursors. However we're not. The context is spoofed queries. [See above.] Responding to these is bad because (a) it chews your bandwidth and CPU; (b) the replies don't go to the actual source that generated the queries; (c) the destination of those responses doesn't want or need that inbound traffic. This is why we agree RRL helps to reduce the damage from spoofed ANY flood attacks.




More information about the dns-operations mailing list