RRL outcome on legitimate traffic...
Karl Pielorz
kpielorz_lst at tdx.co.uk
Tue Dec 1 10:58:50 UTC 2020
Hi all,
So there's been quite a thread - that originally started as "Bind stats -
denied queries" - and morphed into a whole discussion on spoofed UDP,
logging, RRL etc.
In my original post - I never said the original traffic was likely
legitimate in anyway (just so we're clear - I didn't start that aspect of
that thread).
So,
Obviously RRL is pretty much all you can do with this stuff - presumably,
if someone throws a lot of queries that 'trip' the RRL - but, say spoofed
from another ISP's actual DNS servers/network - the idea is that those IP's
legitimate UDP queries will start getting dropped :( - but the other ISP's
DNS will then, hopefully switch from UDP to TCP to get an answer?
Looking at the distribution of rubbish we're seeing - I'm suspecting some
of the limits would have to be 'really low' to catch some of this stuff
(i.e. some times we just see 5 queries from an IP, and then nothing for
hours - even from within the same /24).
Obviously the server can weather a quite a bit of this, and you can't
"block everything" (which is - in a circle, why I was asking originally
about getting stats for it :)
Regards,
-Karl
More information about the bind-users
mailing list