[dns-operations] solutions for DDoS mitigation of DNS

Davey Song songlinjian at gmail.com
Thu Apr 2 10:10:13 UTC 2020


I'm very confused that why people on the list are suggesting RRL (even
BCP38) to the victim of DoS attack? If I remember correctly, the goal of
both RRL and BCP38 is to reduce the chance of participating the attack as a
innocent helper.

In the introduce of RRL (https://kb.isc.org/docs/aa-01000)  , it goes :
"RRL helps mitigate DNS denial-of-service attacks by reducing the rate at
which authoritative servers respond to high volumes of malicious queries.
"

Please correct me .

Davey


On Thu, 2 Apr 2020 at 17:45, Ray Bellis <ray at isc.org> wrote:

>
>
> On 02/04/2020 10:12, Tessa Plum wrote:
>
> > All the packages were DNS requests, some queries like 'dig domain.com
> any'.
> > but their IP address seems spoofed.
> > A request from the fake address to our nameserver, but nameserver try
> > its best to reply to this unreal address.
>
> If it's a recursive server, apply an ACL so that only expected clients
> can query.
>
> If it's an authoritative server, turn on Response Rate Limiting (RRL) if
> it's BIND, or the equivalent feature if is isn't.
>
> Ray
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200402/55d92bfa/attachment.html>


More information about the dns-operations mailing list