[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"
Paul Vixie
paul at redbarn.org
Mon Sep 5 13:38:46 UTC 2016
Tony Finch wrote:
> Paul Vixie<paul at redbarn.org> wrote:
>> blocking ANY wastes your time and annoys the pig. only protocol aware rate
>> limiting, for example DNS RRL, will keep your authority server from being an
>> attractive reflecting amplifier.
>
> RRL and minimal-any mitigate different kinds of attacks.
>
> minimal-any is useful for query floods from legitimate clients (e.g. if a
> bunch of recursive servers are being used as amplifiers) because it avoids
> pushing queries to TCP and overloading the authoritative server.
what makes you think that DNS RRL pushes queries to TCP in a way that
overloads the authority server?
if DNS RRL did that, it would be bad design, no matter whether the
repeated flows are dominated by queries from legitimate clients, or not.
--
P Vixie
More information about the dns-operations
mailing list