* Vernon Schryver [2013-05-15 21:40]:
>> From: Jared Mauch <ja...@puck.nether.net>
>> This is a crude but effective hack. It doesn't stop the system from
>> recursing to find the response.
>
>
> I can understand simplistic DNS reflection mitigation in firewalls,
> especially when response rate limiting is not available in the DNS
> server implementation or when local policies forbid the use of patches.
> I don't understand why would one use a patch like that with its
> limitations and drawbacks (e.g. usable only on recent versions of
> BIND9, affects only ANY, affects all ANY, doesn't limit the flood of
> reflected truncated responses during attacks, no whitelisting for local
> clients, not view-specific) instead of the full blown RRL patch for
> 9.9.3rc2, 9.9.2, 9.9.2-P1, 9.9.2-P2, 9.8.4-P2, 9.8.4-P1, or 9.8.5rc2.
>
>
> By the way, why use "qtype == 255" instead of "qtype == dns_rdatatype_any" ?
>
> Why #define TCP_CLIENT() and use the macro exactly once instead
> something like
> if (qtype == dns_rdatatype_any &&
> (client->attributes & NS_CLIENTATTR_TCP) != 0) {
> If TCP_CLIENT() is used in query.c, then its definition should be moved
> from client.c to bin/named/include/named/client.h and the several uses
> of "client->attributes & NS_CLIENTATTR_TCP" in query.c replaced with
> TCP_CLIENT(). It's bad form to define macros (or much of anything)
> more than once, because you can be sure that eventually the definitions
> will differ.I think the keyword here is "hack". I wouldn't invest too much time in an analysis. Regards, Matt -- Universität Duisburg-Essen Verteilte Systeme Bismarckstr. 90 / BC 316 47057 Duisburg
smime.p7s
Description: S/MIME Kryptografische Unterschrift
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
