[dns-operations] solutions for DDoS mitigation of DNS
songlinjian at gmail.com
Thu Apr 2 10:10:13 UTC 2020
I'm very confused that why people on the list are suggesting RRL (even
BCP38) to the victim of DoS attack? If I remember correctly, the goal of
both RRL and BCP38 is to reduce the chance of participating the attack as a
In the introduce of RRL (https://kb.isc.org/docs/aa-01000) , it goes :
"RRL helps mitigate DNS denial-of-service attacks by reducing the rate at
which authoritative servers respond to high volumes of malicious queries.
Please correct me .
On Thu, 2 Apr 2020 at 17:45, Ray Bellis <ray at isc.org> wrote:
> On 02/04/2020 10:12, Tessa Plum wrote:
> > All the packages were DNS requests, some queries like 'dig domain.com
> > but their IP address seems spoofed.
> > A request from the fake address to our nameserver, but nameserver try
> > its best to reply to this unreal address.
> If it's a recursive server, apply an ACL so that only expected clients
> can query.
> If it's an authoritative server, turn on Response Rate Limiting (RRL) if
> it's BIND, or the equivalent feature if is isn't.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations