[dns-operations] [DNSOP] bind fails to continue recursing on one specific query
Peter DeVries
pdevries at quotient-inc.com
Wed Mar 29 10:51:41 UTC 2023
On Tue, Mar 28, 2023, 9:23 PM Dave Lawrence <tale at dd.org> wrote:
> Peter DeVries via dns-operations writes:
> > We almost blocked these because we didn't know what they were but then
> > I stumbled upon one of the old RFC drafts for query minimization and
> > it does mention this as a technique.
>
> Why would you drop them if you had not stumbled on the old draft?
>
> It is very poor form for nameservers to intentionally not respond to
> queries under normal operation. Now if you were getting hammered by
> an unreasonable volume of them that would be another thing.
1/4 - 1/3 of all incoming queries matched this signature during DDoS
attacks. It was potentially a quick help.
In the end this actually helped profile well behaved servers more than
attackers and I will note we did not block this traffic at any point.
> Another relevant draft:
> https://datatracker.ietf.org/doc/html/rfc8906
Not sure how, it doesn't address _. as a use case at all and I only see
testing for minimal EDNS not minimal qname.
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230329/a705e3fb/attachment.html>
More information about the dns-operations
mailing list