[dns-operations] Spurious NXDOMAIN response from a DNS hosting provider
Ondřej Surý
ondrej at sury.org
Thu Apr 3 15:12:59 UTC 2025
What Vláďa said - implementing RRL (e.g. return empty answer with TC bit), requiring DNS COOKIE or perhaps at least just generating SERVFAIL would be much better option.
Giving back NXDOMAIN is … misunderstanding DNS at best.
Ondrej
--
Ondřej Surý (He/Him)
> On 3. 4. 2025, at 15:57, Vladimír Čunát <vladimir.cunat+ietf at nic.cz> wrote:
>
>
> On 03/04/2025 15.18, Emmanuel Fusté wrote:
>> - DNS should never completely stop responding to one IP, just as it should never arbitrary alter the value of an answer.
> Ideally yes, but... here's a consideration: if you don't reply or make some reply that looks like an error, the client is more likely to make more retries than when you reply with something that looks like a plausible answer. That's just for non-intentional DoS and perhaps indirect attacks through some 3rd-party resolver, of course; direct intentional attackers won't care.
>
> Still, I most likely wouldn't use NXDOMAIN in this case.
>
> Also note that over UDP the source IP is spoofable, so attackers can leverage such anti-DoS mechanisms to better DoS other particular consumers of that server.
>
> --Vladimir | knot-resolver.cz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250403/95437719/attachment.html>
More information about the dns-operations
mailing list