RRL outcome on legitimate traffic...

[Karl Pielorz]

Hi all,

So there's been quite a thread - that originally started as "Bind stats - 
denied queries" - and morphed into a whole discussion on spoofed UDP, 
logging, RRL etc.

In my original post - I never said the original traffic was likely 
legitimate in anyway (just so we're clear - I didn't start that aspect of 
that thread).


So,

Obviously RRL is pretty much all you can do with this stuff - presumably, 
if someone throws a lot of queries that 'trip' the RRL - but, say spoofed 
from another ISP's actual DNS servers/network - the idea is that those IP's 
legitimate UDP queries will start getting dropped :( - but the other ISP's 
DNS will then, hopefully switch from UDP to TCP to get an answer?


Looking at the distribution of rubbish we're seeing - I'm suspecting some 
of the limits would have to be 'really low' to catch some of this stuff 
(i.e. some times we just see 5 queries from an IP, and then nothing for 
hours - even from within the same /24).

Obviously the server can weather a quite a bit of this, and you can't 
"block everything" (which is - in a circle, why I was asking originally 
about getting stats for it :)

Regards,

-Karl