[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)

Mukund Sivaraman muks at isc.org
Mon Oct 24 16:23:19 UTC 2016


Hi Jared

On Mon, Oct 24, 2016 at 11:57:04AM -0400, Jared Mauch wrote:
> It seems that having something here would be of value to those that
> operate servers facing customers to minimize the impact vs complete
> amplification as everyones caches remain expired at once and
> participate in an attack.

TTL=0 answers are not cached. If an out-of-spec resolver implementing
this scheme finds that a remote nameserver is not reachable and serves a
stale answer with TTL=0, its client will not cache that answer
either. When there's a new client query, with this logic, the resolver
will try to fetch an answer from the remote nameserver again to see if
it is available because the answer in its cache has expired and it only
serves these manufactured TTL=0 answers when the remote nameserver is
not reachable. This will not minimize the number of fetches directed at
an authoritative server.

		Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20161024/4a53cadd/attachment.sig>


More information about the dns-operations mailing list