Hi all,
So there's been quite a thread - that originally started as "Bind stats -
denied queries" - and morphed into a whole discussion on spoofed UDP,
logging, RRL etc.
In my original post - I never said the original traffic was likely
legitimate in anyway (just so we're clear - I didn't start that aspect of
that thread).
So,
Obviously RRL is pretty much all you can do with this stuff - presumably,
if someone throws a lot of queries that 'trip' the RRL - but, say spoofed
from another ISP's actual DNS servers/network - the idea is that those IP's
legitimate UDP queries will start getting dropped :( - but the other ISP's
DNS will then, hopefully switch from UDP to TCP to get an answer?
Looking at the distribution of rubbish we're seeing - I'm suspecting some
of the limits would have to be 'really low' to catch some of this stuff
(i.e. some times we just see 5 queries from an IP, and then nothing for
hours - even from within the same /24).
Obviously the server can weather a quite a bit of this, and you can't
"block everything" (which is - in a circle, why I was asking originally
about getting stats for it :)
Regards,
-Karl
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
