[dns-operations] Spurious NXDOMAIN response from a DNS hosting provider

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Thu Apr 3 13:57:08 UTC 2025


On 03/04/2025 15.18, Emmanuel Fusté wrote:
> - DNS should never completely stop responding to one IP, just as it 
> should never arbitrary alter the value of an answer. 

Ideally yes, but... here's a consideration: if you don't reply or make 
some reply that looks like an error, the client is more likely to make 
more retries than when you reply with something that looks like a 
plausible answer.  That's just for non-intentional DoS and perhaps 
indirect attacks through some 3rd-party resolver, of course; direct 
intentional attackers won't care.

Still, I most likely wouldn't use NXDOMAIN in this case.

Also note that over UDP the source IP is spoofable, so attackers can 
leverage such anti-DoS mechanisms to better DoS other particular 
consumers of that server.

--Vladimir | knot-resolver.cz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250403/f533d11d/attachment.html>


More information about the dns-operations mailing list