[dns-operations] responding to spoofed ANY queries

[Vernon Schryver]

> From: Jim Reid <jim at rfc1035.com>

> I suppose a name server could keep a (small?) cache of recently
> marshalled answers and use that to either rate limit responses which
> are too large or identical to one that has recently been sent to the
> same IP address(es). [For some definition of large and recent.]

A problem with that thought is what I tried to state before, that there
is no definition of "large" that is small enough to permit an exemption
from rate limiting but not so small that it keeps mininimal DNS responses
rate limited.
For example, seems that <random>.rfc1035.com to your 93.186.33.42 is
good for a 2X amplified stream of NXDMOAINS.  2X is small but too high
for DoS victims to tolerate.  I trust you will eventually turn on
DNSSEC, which will probably boost your amplification of random requests
well above 5X.

>                                                                  It
> could be good to have something which rate limits outgoing responses
> in addition to what's done with incoming queries.

Please recall that RRL stands for *response* rate limiting and neither
*query* rate limiting nor *client* rate limiting.  The differences are
significant.

Among those differences is one that wrecks the goal of turning off
RRL for those mythical small enough to not be amplified responses.
Because RRL is about rate limiting responses instead of clients,
there is few or no good reasons to turn it off for large or small
legitimate responses.  Legitimate responses are not frequently
repeated and so don't get dropped except in rare or dubious scenarios.


Vernon Schryver    vjs at rhyolite.com