[dns-operations] Software that refuses an answer by QTYPE if it comes over plain UDP?

Tony Finch dot at dotat.at
Wed Mar 16 12:28:03 UTC 2016

Edward Lewis <edward.lewis at icann.org> wrote:

> If the worry is simply amplified reflective attacks, I don't
> see this tradeoff benefitting anyone.

Attacks that use authoritative servers directly can be dealt with by RRL.
It's more tricky to deal with attacks that use large numbers of recursive
servers for amplification, because then the authoritative server will get
a large number of queries from lots of legitimate clients, which RRL is
designed to allow. Minimal ANY responses make these recursive servers go
away happy without retrying over TCP and using up the server's TCP quota.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
North Utsire, South Utsire, East Forties: Variable 3 or 4, becoming northerly
or northwesterly 4 or 5. Slight or moderate. Fog banks. Moderate or good,
occasionally very poor.

More information about the dns-operations mailing list