[dns-operations] Recently closed open resolver and reflection attacks
jabley at hopcount.ca
Wed Mar 6 17:49:22 UTC 2013
On 2013-03-06, at 12:36, WBrown at e1b.org wrote:
> Is there any reason why recursive queries to an authoritative server that
> would normally get a REFUSED reply shouldn't be dropped instead of getting
> an answer?
> Maybe now that I've had lunch the brain will work better.
There's no amplification potential in sending such queries, so perhaps not much of a threat to defend against. As I understand your original message, now, RRL would presumably penalise repeat offenders.
There's always reduced ability to troubleshoot and the potential for time-outs when you don't send a reply at all.
Suppressing REFUSED responses seems like potential risk and little benefit.
More information about the dns-operations