On Mon, 4 Dec 2023, Damian Menscher wrote:
have more redundancy/capacity). Based on these estimates, we haven't treated mitigation of small attacks as a high priority. If O(25Kpps) attacks are causing real problems for the community, I'd appreciate that feedback and some hints as to why your experience differs from the ISC BIND load-tests.
Thanks for your note. Here's my problem, which I freely admit puts me way out at the tail of the weird curve. I run abuse.net which lets you look up abuse reporting addresses for domains. If you look up, say, bt.co.uk or mail.bt.co.uk, it'll look the domain up in its internal database and tell you to send reports to abuse@bt.com. I provide lookups via a web site and a whois server, but it occurred to me a while ago that it'd be much faster for everyone if I made a stunt DNS server that does the lookups and synthesizes the answers, e.g.: $ dig mail.bt.co.uk.contacts.abuse.net txt ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;mail.bt.co.uk.contacts.abuse.net. IN TXT ;; ANSWER SECTION: mail.bt.co.uk.contacts.abuse.net. 43200 IN TXT "abuse@bt.com" The DNS server is a perl script I wrote a while ago that synthesizes answers on the fly. It can't be a normal DNS server because the mapping from queries to responses is more complex than you can express with DNS wildcards, and if a domain isn't in the database it returns a default of abuse@<domain>. I have two servers on two networks and normally it works fine until some nitwit does a query flood, probably looking up every domain in every message they see, or maybe an inept listwasher, and the two little perl scripts just can't keep up. What I would like is if large public DNS systems like yours refused to look up anything in contacts.abuse.net, and I tell people that if they want to use the DNS lookup, use your own DNS cache, similar to what DNSBLs do. I suppose I could try and do a split horizon hack on the parent server (abuse.net itself is on ordinary NSD servers) and say the NS for contacts.abuse.net is at 127.0.0.1, but as we've seen it's a challenge keeping track of all the places your queries can come from. Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly