RRL outcome on legitimate traffic...

Reindl Harald h.reindl at thelounge.net
Tue Dec 1 18:17:17 UTC 2020



Am 01.12.20 um 17:15 schrieb Karl Pielorz:
> --On 1 December 2020 at 08:24:50 -0600 Lyle Giese <lyle at lcrcomputer.net> 
> wrote:
> 
>> You need to look at the reply named sends when it trips and starts
>> limiting UDP traffic source from a given IP address.  It tells the
>> requestor to try again using TCP instead of UDP.
>>
>> So if the requestor is a legit dns server, it will retry using TCP and
>> still get a valid answer.
>>
>> Named does not blindly just drop traffic.
> 
> Hmmm, I thought it did for RRL limit hits? (i.e. that's the point - to 
> stop sending responses)

irrelevant in context of TCP where forged source with the IP of the 
victim don't survive a handshake

the point of dns amplification over UDP is that the response of ANY 
queries is dramatically larger then the inbound package and no handshake 
is needed


More information about the bind-users mailing list