--- Begin Message ---
On 03/04/2025 15.18, Emmanuel Fusté wrote:
- DNS should never completely stop responding to one IP, just as it
should never arbitrary alter the value of an answer.
Ideally yes, but... here's a consideration: if you don't reply or make
some reply that looks like an error, the client is more likely to make
more retries than when you reply with something that looks like a
plausible answer. That's just for non-intentional DoS and perhaps
indirect attacks through some 3rd-party resolver, of course; direct
intentional attackers won't care.
Still, I most likely wouldn't use NXDOMAIN in this case.
Also note that over UDP the source IP is spoofable, so attackers can
leverage such anti-DoS mechanisms to better DoS other particular
consumers of that server.
--Vladimir | knot-resolver.cz
--- End Message ---
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
