[dns-operations] Small datapoint on current DoS mitigation

Paul Vixie paul at redbarn.org
Thu Apr 3 14:10:39 UTC 2014



bert hubert wrote:
> Hi everybody,
>
> Like most people, we're currently seeing loads and loads of malicious DNS
> traffic. In this post
> http://blog.powerdns.com/2014/04/03/further-dos-guidance-packages-and-patches-available/
> we describe a new PowerDNS feature that so far has been remarkably
> effective. I think it was inspired by a feature from Unbound, but unsure. It
> was contributed to us by PowerDNS user Paulo Anes (thanks!).
>
> What this filter does is keep tabs on authoritative servers that don't answer. After not
> answering for X times in a row, the server gets blacklisted for Y seconds. 
>
> Then, after Y seconds the server gets a new chance to answer. If it doesn't,
> it immediately gets blacklisted again for Y seconds. However, if it provides
> only a single answer (even if incorrect), the blacklisting gets removed.
>
> ...
two questions:

if all of the servers for the closest enclosing zone cut are on the
dynamic server blacklist, do you SERVFAIL the query?

do you keep track of servers by NS name, or A/AAAA address?

do you also blacklist a server who sends SERVFAIL, and if so do you
follow this text from RFC 2308?

In either case a resolver MAY cache a server failure response.  If it

does so it MUST NOT cache it for longer than five (5) minutes, and it

MUST be cached against the specific query tuple <query name, type,

class, server IP address>.

 

vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140403/6d815932/attachment.html>


More information about the dns-operations mailing list