Stopping name server abuse
Paul Kosinski
bind at iment.com
Mon Jun 25 15:04:32 UTC 2018
How does *not* responding to a UDP query take longer for the *server*
than responding to UDP a query? Both responding and (deliberately) not
responding require identifying the query, but not responding bypasses
the time the server would need to construct the response, plus time
spent in the network stack. (I'm assuming we don't care about client
side "expense".)
Of course, if not responding to a UDP query provokes a TCP query, that
might increase the total server time needed, since TCP is inherently
more expensive for short transactions like DNS.
P.S. If you have something like iptables (with its string matching) in
front of your DNS server, you could just drop UDP queries for bogus
domains rather than letting them in at all. Or you could even route
them to a special lightweight server that just yields canned responses.
(This wouldn't work for TCP, because the query doesn't come until after
the connection is established.)
On Mon, 25 Jun 2018 15:32:44 +0200
Reindl Harald <h.reindl at thelounge.net> wrote:
>
>
> Am 25.06.2018 um 05:39 schrieb Paul Kosinski:
> > Is it possible to get BIND not to respond at all, thereby causing
> > a timeout on the query? That would perhaps reduce load more than
> > NXDOMAIN or deleting the sone(s) would.
>
> timeouts are expensive for both sides by definition
>
> > On Mon, 25 Jun 2018 00:03:09 +0200
> > jonny at hasig.de wrote:
> >
> >> yes, but it minimizes the use of resources because the only answer
> >> is nxdomain. j.
> >>
> >> Am 24.06.2018 um 23:41 schrieb Barry Margolin:
> >>> In article <mailman.70.1529876093.803.bind-users at lists.isc.org>,
> >>> jonny at hasig.de wrote:
> >>>
> >>>> hi,
> >>>> why dont you just delete the zones?
> >>>
> >>> That won't stop the queries from coming to the server
>
>
More information about the bind-users
mailing list