[dns-operations] Does residential ISPs do rate limit on their local resolvers?
Florian Weimer
fweimer at redhat.com
Mon Oct 24 12:09:52 UTC 2016
On 10/22/2016 06:27 PM, Paul Vixie wrote:
>
>
> Robert Martin-Legene wrote:
>> I think RRL does not really work so well in this case. It would force
>> the client to TCP. But then on TCP the client could ask for any random
>> string from a victim-zone. A string that the resolver would try to resolve.
>
> i think you should build a test network out of a bunch of VM's and find
> out what difference RRL makes in practice against an attack like this.
> the urban legend of "would force the client to TCP" isn't supported by
> theory and likely won't be supported by practice, either. RRL has three
> things it can do when it decides that a query is a duplicate. only one
> involves TC=1. the combination of all three yields systemic attenuation.
What happens to the recursor with typical RRL deployments on the server
side?
Is the goal to take out the recursor as completely as possible, so that
its operator is forced to disconnect the client that is spewing garbage
queries?
Thanks,
Florian
More information about the dns-operations
mailing list