[dns-operations] responding to spoofed ANY queries

Jim Reid jim at rfc1035.com
Thu Jan 10 20:07:22 UTC 2013


On 10 Jan 2013, at 17:39, Matthew Ghali <mghali at snark.net> wrote:

> So if I understand correctly, the solution you are advocating is to only answer non-spoofed queries?

It's one of them, yes. Though since it's hard for a DNS server to distinguish between spoofed and genuine source IP addresses, the RRL patch is the easiest way to get the same effect. Your server would then respond to a teeny fraction of the thousands of queries per second from the same (forged) IP address(es). Further measures will be necessary, especially if/when the characteristics of the current attacks change to make them less amenable to RRL dampening.

Sadly, there is no magic bullet which will solve this problem. A bunch of countermeasures and defences are needed, some of which will be outside the realm of network operations or the DNS protocol. This should not be news to anyone here.




More information about the dns-operations mailing list