[dns-operations] EC2 resolver changing TTL on DNS answers?

Colm MacCárthaigh colm at stdlib.net
Wed Nov 29 06:29:00 UTC 2017


On Tue, Nov 28, 2017 at 9:14 PM, Giovane C. M. Moura <giovane.moura at sidn.nl>
wrote:
>
> And I wonder how manipulating TTLs on the resolver side can actually be
> an issue during a major DDoS attack. I mean, shorter TTLs may lead to
> caches on applications/stub resolvers/recursive resolvers to expire much
> more quickly, which under normal operations are fine, but we may be
> discarding prematurely a valid  answer that could  be an issue during a
> major DDoS against authoritative servers (any thoughts on that?).
>

This is a good concern! It's actually fairly easy to mitigate though - when
you can't reach an authoritative server, be willing to serve the most
recent, but stale, cache entry. In practice this is much more resilient and
overall better than returning SERVFAIL to clients.

-- 
Colm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20171128/6e2a958a/attachment.html>


More information about the dns-operations mailing list