[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"

Paul Vixie paul at redbarn.org
Mon Sep 5 13:38:46 UTC 2016

Tony Finch wrote:
> Paul Vixie<paul at redbarn.org>  wrote:
>> blocking ANY wastes your time and annoys the pig. only protocol aware rate
>> limiting, for example DNS RRL, will keep your authority server from being an
>> attractive reflecting amplifier.
> RRL and minimal-any mitigate different kinds of attacks.
> minimal-any is useful for query floods from legitimate clients (e.g. if a
> bunch of recursive servers are being used as amplifiers) because it avoids
> pushing queries to TCP and overloading the authoritative server.

what makes you think that DNS RRL pushes queries to TCP in a way that 
overloads the authority server?

if DNS RRL did that, it would be bad design, no matter whether the 
repeated flows are dominated by queries from legitimate clients, or not.

P Vixie

More information about the dns-operations mailing list