[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems

Ben Aitchison wrote:

>> Authoritative DNS servers need to implement rate limiting. (a client
>> shouldn't query you twice for the same thing within its TTL).
> unbound with it's dns-prefetching queries a dns servers again in I think the last 10% of ttl when
> returning hit to client to refresh ttl and keep it current.

They are the worst things to do against DDOS, as queries must be
repeated if query or reply packets are dropped, often because of

Rate limiting with token bucket of 5 or 7 packet deep could be
useful, though it enables 5 or 7 times of amplification.

> That said, a lot of these amplifications attacks use ANY
> requests, which normal clients don't.  And those could be
> rate limited down without effecting normal traffic I'm sure.

We should rather obsolete DNSSEC, which amplifies a lot even
though it is not really deployed.

					Masataka Ohta