Am 16.12.21 um 14:56 schrieb Andrew P.:
Reindl Harald <h.rei...@thelounge.net> writes:
Am 16.12.21 um 14:22 schrieb Andrew P.:
You don't understand what kind of blacklist I want; I want to blacklist the
domain name
being asked for, so I don't answer for it. I'm not looking to blacklist forged
IP addresses
of requestors (since we all know criminals don't use their own identities; they
use the
identities of innocent bystanders).
Again, why should _my_ nameserver_ respond to a query for "./ANY/IN"? I am not
a rootserver, and never will be.
AGAIN: you don't gain anything by not responding on a UDP protocol
because the client can't distinct no response and packet loss
AGAIN, the criminal DDoS attacker who's creating these forged requests isn't
looking for replies to themselves
but a legit client does while these attacks aren't successful at all
they're looking to abuse some poor victim. And the victim can't make the
attacker shut up
this attacker must be pretty dumb then because the ANY request makes
only sense if it get answered and the response is magnitudes larger then
the request
hence you need to send them to a server giving a full answer to the victim
with just a error response he could send it's attack traffic directly
given that the attacker needs the full bandwidth anyways and not using a
valid DNS request, just blow out traffic to UDP 53
one couldn't care less about attackers which don't know what they are doing
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
