Dropping external recursive requests

john at feith.com john at feith.com
Thu Dec 4 01:43:14 UTC 2008

On Dec 3, 6:26 pm, Mark Andrews <Mark_Andr... at isc.org> wrote:
> If it is a forged packet it should be dropped regardless of the setting
> of RD.

True, however not something that's easily determined from a distance.

Ideally ingress filtering would render this a non-issue, however
there obviously holes in the current filtering done by ISPs.

> If the only reason to think the packet is forged is the setting
> of RD=1 then the OP has committed a reasoning error.

The situation that we've encountered on a couple of occasions
is a steady stream (several a second) of the exact same query
with the same source address for several days.  When we contact
the owner of the source address, they state they're under DDoS
attack and are not the source of the request.  Part of the attack
they experience is the Refused response from our DNS server.

> Also rd being set my just be the result of someone testing with
> a tool which sets rd by default.

In which case they can change the setting.

Which is worst ... occasionally dropping a request from someone
using a misconfigured tool / server, or participating in a larger
DDoS attack?

Granted that dropping external requests with RD=1 doesn't
eliminate the potiental for DDoS attacks, it just changes it.

> One needs to be really, really careful here.

Understood ... and I realize that things shouldn't be oversimplified
(i.e. by assuming RD=1 must mean an evil request).  Part of the
for this post is to start a discussion on the pros / cons.

-- John
john at feith.com

More information about the bind-users mailing list