[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)

Mukund Sivaraman muks at isc.org
Mon Oct 24 17:25:21 UTC 2016

Hi Jared

On Mon, Oct 24, 2016 at 12:29:24PM -0400, Jared Mauch wrote:
> > On Oct 24, 2016, at 12:23 PM, Mukund Sivaraman <muks at isc.org> wrote:
> > 
> > This will not minimize the number of fetches directed at
> > an authoritative server.
> I’m not certain of this, eg: bind has limits on fetches per NS, so
> it’s not like 1000 clients asking for the same QNAME would result in a
> 1K QPS load on the back-side, but these synthesized responses would
> certainly increase the stub -> recursive query volume assuming they
> honor the TTL=0.

In BIND resolver, for an outstanding question that's already being asked
to an authoritative server, no further fetches will be sent for
it. That's even without the fetches-per-server stuff. Even without any
serving of stale answers, if a resolver gets 1000 client queries for a
name in a sequence and there's no non-expired answer in cache, it will
send 1 fetch to a remote NS and while that is outstanding, join the rest
of the queries with the first.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20161024/c9c95c50/attachment.sig>

More information about the dns-operations mailing list