[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Open Resolver Problems
- Subject: Open Resolver Problems
- From: jbates at brightok.net (Jack Bates)
- Date: Wed, 27 Mar 2013 09:00:05 -0500
- In-reply-to: <CAP-guGWQjOVEJ4OCEn3sJuHLwq-hwg=g-7WdzAuhj77Uj3i4Cg@mail.gmail.com>
- References: <[email protected]> <[email protected]> <CAEmG1=oXXwHObBcBaRTFTj9-uyq_dFfB4j63LAmKp8Y4hdT+Wg@mail.gmail.com> <CAL89Sg+XDKc=_6UWosAZ=wyPJb9tm2GaN0-vDk8Kyiji+vEUUQ@mail.gmail.com> <CAP-guGWQjOVEJ4OCEn3sJuHLwq-hwg=g-7WdzAuhj77Uj3i4Cg@mail.gmail.com>
On 3/27/2013 8:47 AM, William Herrin wrote:
> On Tue, Mar 26, 2013 at 10:07 PM, Tom Paseka <tom at cloudflare.com> wrote:
>> Authoritative DNS servers need to implement rate limiting. (a client
>> shouldn't query you twice for the same thing within its TTL).
> Right now that's a complaint for the mainstream software authors, not
> for the system operators. When the version of Bind in Debian Stable
> implements this feature, I'll surely turn it on.
>
>
Tracking the clients would be a huge dataset and be especially
complicated in clusters. They'd be better off at detecting actual attack
vectors rather than rate limiting. However, there are enough nodes out
there to easily spread a trickle to avoid individual detections. You
don't want to DOS your amplifier, after all. It also wouldn't be hard to
rotate through different requests to defeat the "rate limits".
Jack