[dns-operations] Small datapoint on current DoS mitigation

bert hubert bert.hubert at netherlabs.nl
Wed Apr 9 18:58:30 UTC 2014

On Thu, Apr 03, 2014 at 07:10:39AM -0700, Paul Vixie wrote:
> if all of the servers for the closest enclosing zone cut are on the
> dynamic server blacklist, do you SERVFAIL the query?

Yes, since we have no functioning nameservers left to contact.

> do you keep track of servers by NS name, or A/AAAA address?

This specific filter is based on A/AAAA.

> do you also blacklist a server who sends SERVFAIL, and if so do you
> follow this text from RFC 2308?

No, although we do have a weaker filter for that that stops us from sending
out too many identical queries that lead to SERVFAILs.

> In either case a resolver MAY cache a server failure response.  If it
> does so it MUST NOT cache it for longer than five (5) minutes, and it
> MUST be cached against the specific query tuple <query name, type,
> class, server IP address>.

It turns out we do that by default.


More information about the dns-operations mailing list