[dns-operations] Recently closed open resolver and reflection attacks

Joe Abley jabley at hopcount.ca
Wed Mar 6 17:49:22 UTC 2013

On 2013-03-06, at 12:36, WBrown at e1b.org wrote:

> Is there any reason why recursive queries to an authoritative server that 
> would normally get a REFUSED reply shouldn't be dropped instead of getting 
> an answer?
> Maybe now that I've had lunch the brain will work better.

There's no amplification potential in sending such queries, so perhaps not much of a threat to defend against. As I understand your original message, now, RRL would presumably penalise repeat offenders.

There's always reduced ability to troubleshoot and the potential for time-outs when you don't send a reply at all.

Suppressing REFUSED responses seems like potential risk and little benefit.


More information about the dns-operations mailing list