[dns-operations] Always replying to UDP requests with TC=1, good practice or not
paul at redbarn.org
Sun Oct 18 19:46:59 UTC 2015
On Sunday, October 18, 2015 14:22:31 Mark Jeftovic wrote:
> Yes this is a common DDoS mitigation technique and it works pretty
> well for some situations. I'm not surprised to hear somebody patented
> this, I could almost hazard a guess who (but I won't)
> I would not do it all the time however, because we've seen cases where
> some devices / resolvers fail badly on the TCP retry (like they don't
> do it, won't do it), such as some mobile devices on some wireless
> It's ok to do this in a hair-on-fire situation IMHO (but I'm of the
> opinion it's ok to do almost anything in a hair-on-fire situation,
> such as dropping ANY's on the floor, whatever it takes)
i am -1 to all forms of modal defense. for that reason, see DNS RRL.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: This is a digitally signed message part.
More information about the dns-operations