nanog mailing list archives

Re: Open Resolver Problems


From: Masataka Ohta <mohta () necom830 hpcl titech ac jp>
Date: Fri, 29 Mar 2013 20:58:30 +0900

Ben Aitchison wrote:

Authoritative DNS servers need to implement rate limiting. (a client
shouldn't query you twice for the same thing within its TTL).

unbound with it's dns-prefetching queries a dns servers again in I think the last 10% of ttl when
returning hit to client to refresh ttl and keep it current.

They are the worst things to do against DDOS, as queries must be
repeated if query or reply packets are dropped, often because of
DDOS.

Rate limiting with token bucket of 5 or 7 packet deep could be
useful, though it enables 5 or 7 times of amplification.

That said, a lot of these amplifications attacks use ANY
requests, which normal clients don't.  And those could be
rate limited down without effecting normal traffic I'm sure.

We should rather obsolete DNSSEC, which amplifies a lot even
though it is not really deployed.

                                        Masataka Ohta


Current thread: