RRL outcome on legitimate traffic...
lyle at lcrcomputer.net
Tue Dec 1 14:24:50 UTC 2020
You need to look at the reply named sends when it trips and starts
limiting UDP traffic source from a given IP address. It tells the
requestor to try again using TCP instead of UDP.
So if the requestor is a legit dns server, it will retry using TCP and
still get a valid answer.
Named does not blindly just drop traffic.
LCR Computer Services, Inc.
On 12/1/20 4:58 AM, Karl Pielorz wrote:
> Hi all,
> So there's been quite a thread - that originally started as "Bind
> stats - denied queries" - and morphed into a whole discussion on
> spoofed UDP, logging, RRL etc.
> In my original post - I never said the original traffic was likely
> legitimate in anyway (just so we're clear - I didn't start that aspect
> of that thread).
> Obviously RRL is pretty much all you can do with this stuff -
> presumably, if someone throws a lot of queries that 'trip' the RRL -
> but, say spoofed from another ISP's actual DNS servers/network - the
> idea is that those IP's legitimate UDP queries will start getting
> dropped :( - but the other ISP's DNS will then, hopefully switch from
> UDP to TCP to get an answer?
> Looking at the distribution of rubbish we're seeing - I'm suspecting
> some of the limits would have to be 'really low' to catch some of this
> stuff (i.e. some times we just see 5 queries from an IP, and then
> nothing for hours - even from within the same /24).
> Obviously the server can weather a quite a bit of this, and you can't
> "block everything" (which is - in a circle, why I was asking
> originally about getting stats for it :)
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> bind-users mailing list
> bind-users at lists.isc.org
More information about the bind-users