<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 03/04/2025 15.18, Emmanuel Fusté
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:996e1b75-5bbc-48b9-88b0-8550ec719bf6@gmail.com">- DNS
should never completely stop responding to one IP, just as it
should never arbitrary alter the value of an answer.
</blockquote>
<p>Ideally yes, but... here's a consideration: if you don't reply or
make some reply that looks like an error, the client is more
likely to make more retries than when you reply with something
that looks like a plausible answer. That's just for
non-intentional DoS and perhaps indirect attacks through some
3rd-party resolver, of course; direct intentional attackers won't
care.</p>
<p>Still, I most likely wouldn't use NXDOMAIN in this case.</p>
<p>Also note that over UDP the source IP is spoofable, so attackers
can leverage such anti-DoS mechanisms to better DoS other
particular consumers of that server.</p>
<p>--Vladimir | knot-resolver.cz</p>
</body>
</html>