RRL outcome on legitimate traffic...
h.reindl at thelounge.net
Tue Dec 1 18:17:17 UTC 2020
Am 01.12.20 um 17:15 schrieb Karl Pielorz:
> --On 1 December 2020 at 08:24:50 -0600 Lyle Giese <lyle at lcrcomputer.net>
>> You need to look at the reply named sends when it trips and starts
>> limiting UDP traffic source from a given IP address. It tells the
>> requestor to try again using TCP instead of UDP.
>> So if the requestor is a legit dns server, it will retry using TCP and
>> still get a valid answer.
>> Named does not blindly just drop traffic.
> Hmmm, I thought it did for RRL limit hits? (i.e. that's the point - to
> stop sending responses)
irrelevant in context of TCP where forged source with the IP of the
victim don't survive a handshake
the point of dns amplification over UDP is that the response of ANY
queries is dramatically larger then the inbound package and no handshake
More information about the bind-users