[dns-operations] Small datapoint on current DoS mitigation
bert hubert
bert.hubert at netherlabs.nl
Wed Apr 9 18:58:30 UTC 2014
On Thu, Apr 03, 2014 at 07:10:39AM -0700, Paul Vixie wrote:
> if all of the servers for the closest enclosing zone cut are on the
> dynamic server blacklist, do you SERVFAIL the query?
Yes, since we have no functioning nameservers left to contact.
> do you keep track of servers by NS name, or A/AAAA address?
This specific filter is based on A/AAAA.
> do you also blacklist a server who sends SERVFAIL, and if so do you
> follow this text from RFC 2308?
No, although we do have a weaker filter for that that stops us from sending
out too many identical queries that lead to SERVFAILs.
> In either case a resolver MAY cache a server failure response. If it
> does so it MUST NOT cache it for longer than five (5) minutes, and it
> MUST be cached against the specific query tuple <query name, type,
> class, server IP address>.
It turns out we do that by default.
Bert
More information about the dns-operations
mailing list