On 22 October 2017 at 12:23, David Conrad <drc@virtualized.org> wrote:
Damian,
Pragmatically speaking, I strongly suspect the increase in valid queries to authoritative servers even if all “large recursive resolvers” went away would be lost in noise of the overcapacity necessary to deal with even a lower-end DDoS attack.
A 10x increase in baseline queries is still a 10x increase (for whatever value of "10" the real world would actually throw at us). Although small by comparison, that still has to be made up in an increase in the overhead for DDoS. I'm also led to wonder how much worse it would be if all those CPE were open recursives instead of open forwarders. I'd like to see CPE manufacturers' decision making and processes improved BEFORE we start encouraging them to go around ISPs' DNS servers or the large public recursive clouds.