[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)

Jared Mauch jared at puck.nether.net
Mon Oct 24 15:57:04 UTC 2016


> On Oct 24, 2016, at 11:54 AM, Tony Finch <dot at dotat.at> wrote:
> 
> Jared Mauch <jared at puck.nether.net> wrote:
>> 
>> 	I saw some people return the last known good response w/ TTL=0,
>> when the authorities are unresponsive.  How widely is this used/configured?
> 
> OpenDNS does that; I don't know of any others.
> 

I believe that CN-NIC also has an option to do this, or at least to load the last known
good cache.  (I think this may have been presented at DNSOP at a recent IETF meeting).

It seems that having something here would be of value to those that operate servers
facing customers to minimize the impact vs complete amplification as everyones caches
remain expired at once and participate in an attack.

- Jared



More information about the dns-operations mailing list