[dns-operations] Spurious NXDOMAIN response from a DNS hosting provider
Vladimír Čunát
vladimir.cunat+ietf at nic.cz
Thu Apr 3 13:57:08 UTC 2025
On 03/04/2025 15.18, Emmanuel Fusté wrote:
> - DNS should never completely stop responding to one IP, just as it
> should never arbitrary alter the value of an answer.
Ideally yes, but... here's a consideration: if you don't reply or make
some reply that looks like an error, the client is more likely to make
more retries than when you reply with something that looks like a
plausible answer. That's just for non-intentional DoS and perhaps
indirect attacks through some 3rd-party resolver, of course; direct
intentional attackers won't care.
Still, I most likely wouldn't use NXDOMAIN in this case.
Also note that over UDP the source IP is spoofable, so attackers can
leverage such anti-DoS mechanisms to better DoS other particular
consumers of that server.
--Vladimir | knot-resolver.cz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250403/f533d11d/attachment.html>
More information about the dns-operations
mailing list