RRL outcome on legitimate traffic...
Reindl Harald
h.reindl at thelounge.net
Tue Dec 1 18:17:17 UTC 2020
Am 01.12.20 um 17:15 schrieb Karl Pielorz:
> --On 1 December 2020 at 08:24:50 -0600 Lyle Giese <lyle at lcrcomputer.net>
> wrote:
>
>> You need to look at the reply named sends when it trips and starts
>> limiting UDP traffic source from a given IP address. It tells the
>> requestor to try again using TCP instead of UDP.
>>
>> So if the requestor is a legit dns server, it will retry using TCP and
>> still get a valid answer.
>>
>> Named does not blindly just drop traffic.
>
> Hmmm, I thought it did for RRL limit hits? (i.e. that's the point - to
> stop sending responses)
irrelevant in context of TCP where forged source with the IP of the
victim don't survive a handshake
the point of dns amplification over UDP is that the response of ANY
queries is dramatically larger then the inbound package and no handshake
is needed
More information about the bind-users
mailing list