[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)
Jared Mauch
jared at puck.nether.net
Mon Oct 24 15:23:55 UTC 2016
On Mon, Oct 24, 2016 at 11:47:22AM +0100, Tony Finch wrote:
> Doug Porter <dsp at dsp.name> wrote:
>
> > We saw as much as a 35x increase in queries toward Dyn (as33517)
> > during the attacks (graph attached). I'm curious what other parties
> > saw. Do we all need to think harder about preventing a pile on in
> > these scenarios?
>
> Recent versions of BIND have recursive client rate limiting which should
> reduce the volume of retries to unreachable authoritative servers.
>
> https://kb.isc.org/article/AA-01304
I saw some people return the last known good response w/ TTL=0,
when the authorities are unresponsive. How widely is this used/configured?
- Jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the dns-operations
mailing list