RRL and avoiding contributing to DDoS (Was: How to suppress ADDITIONAL SECTION per zone)

Vernon Schryver vjs at rhyolite.com
Fri Jul 5 23:11:35 UTC 2013

> From: Dave Warren <davew at hireahit.com>

> I haven't been following the RRL discussions too closely, is this patch 
> scheduled to be included in BIND9 proper or will it remain a patch?

} From: Evan Hunt each at isc.org 

} > It's not built into bind (yet).
} Correct.  For the record, it'll be in 9.10.0 by default and 9.9.4 as a
} compile-time option (--enable-rrl).


> In the mean time, would it make sense to set "minimal-responses yes" 
> proactively, or only if a spike of activity is detected (noting that it 
> will take us 1-3 days to notice a spike unless it's disruptive to 
> performance)

Depending on your DNS data, a minimal response offers bad guys
between significant and more than enough amplification for a DNS
reflection attack.  While a "minimal-responses yes" without RRL DNS
server is participating in a DNS reflection attack, it can be sending
a lot of bits/second.  Some DNS servers are not bothered by few
extra Gbit/sec of DNS output bandwidth, but many are

In other words, as I see them, as DNS reflection mitigation,
"minimal-responses yes" is like blocking ANY,
just wishful thinking.

Vernon Schryver    vjs at rhyolite.com

More information about the bind-users mailing list