[dns-operations] responding to spoofed ANY queries
paul at redbarn.org
Sun Jan 13 04:45:05 UTC 2013
Frank Bulk wrote:
> If the problem is amplification, why not only perform RRL on only those DNS
> communications exchanges that have certain amplification factor (i.e. 1.5).
i had not thought of this. now that you're making me do so, i think
first, 1.5X is probably a compelling amplification factor.
second, such a limit would not remove the need to know how many repeated
responses are reasonable for some netblock. that consideration does not
have gray areas in which we might use response size ratio as a tie breaker.
third, in the rare false positive case, someone getting timeouts and
having to retry with either udp or tcp, would have more difficulty
diagnosing the cause of that problem if the size of the responses they
aren't getting was one of the determining factors of whether they got it.
More information about the dns-operations