[dns-operations] responding to spoofed ANY queries
Jim Reid
jim at rfc1035.com
Sun Jan 13 20:10:50 UTC 2013
On 13 Jan 2013, at 16:28, Vernon Schryver <vjs at rhyolite.com> wrote:
>> If the problem is amplification, why not only perform RRL on only those DNS
>> communications exchanges that have certain amplification factor (i.e. 1.5).
>>
> That sounds nice but has problems. The main one for me is that
> you'd have wait until the response has been marshalled before
> determining it size and deciding whether to drop it. That seems
> to me harder to code in BIND9 and more expensive in CPU cycles.
I suppose a name server could keep a (small?) cache of recently marshalled answers and use that to either rate limit responses which are too large or identical to one that has recently been sent to the same IP address(es). [For some definition of large and recent.] This might even be cheaper/faster in some cases. ie Generating a reply with a memcpy() from whatever outgoing packets have been kept in this cache instead of assembling all the RRs, doing label compression, etc. It could be good to have something which rate limits outgoing responses in addition to what's done with incoming queries.
Doesn't some name server implementation - PowerDNS? - already do this? Might not be for rate limiting though...
More information about the dns-operations
mailing list