Ben Aitchison wrote:
Authoritative DNS servers need to implement rate limiting. (a client shouldn't query you twice for the same thing within its TTL).
unbound with it's dns-prefetching queries a dns servers again in I think the last 10% of ttl when returning hit to client to refresh ttl and keep it current.
They are the worst things to do against DDOS, as queries must be repeated if query or reply packets are dropped, often because of DDOS. Rate limiting with token bucket of 5 or 7 packet deep could be useful, though it enables 5 or 7 times of amplification.
That said, a lot of these amplifications attacks use ANY requests, which normal clients don't. And those could be rate limited down without effecting normal traffic I'm sure.
We should rather obsolete DNSSEC, which amplifies a lot even though it is not really deployed. Masataka Ohta