RRL and avoiding contributing to DDoS (Was: How to suppress ADDITIONAL SECTION per zone)
Vernon Schryver
vjs at rhyolite.com
Fri Jul 5 23:11:35 UTC 2013
> From: Dave Warren <davew at hireahit.com>
> I haven't been following the RRL discussions too closely, is this patch
> scheduled to be included in BIND9 proper or will it remain a patch?
} From: Evan Hunt each at isc.org
} > It's not built into bind (yet).
}
} Correct. For the record, it'll be in 9.10.0 by default and 9.9.4 as a
} compile-time option (--enable-rrl).
https://lists.isc.org/pipermail/bind-users/2013-June/090872.html
> In the mean time, would it make sense to set "minimal-responses yes"
> proactively, or only if a spike of activity is detected (noting that it
> will take us 1-3 days to notice a spike unless it's disruptive to
> performance)
Depending on your DNS data, a minimal response offers bad guys
between significant and more than enough amplification for a DNS
reflection attack. While a "minimal-responses yes" without RRL DNS
server is participating in a DNS reflection attack, it can be sending
a lot of bits/second. Some DNS servers are not bothered by few
extra Gbit/sec of DNS output bandwidth, but many are
In other words, as I see them, as DNS reflection mitigation,
"minimal-responses yes" is like blocking ANY,
just wishful thinking.
Vernon Schryver vjs at rhyolite.com
More information about the bind-users
mailing list