DGA Attack mitigation

Paul Vixie paul at redbarn.org
Mon Apr 9 21:26:12 UTC 2018

Rainer Duffner wrote:
>> Am 09.04.2018 um 21:15 schrieb Paul Vixie <paul at redbarn.org
>> <mailto:paul at redbarn.org>>:
>> the source addresses are forged. the victims are not unclean in any
>> way. this is why rrl exists.
> Most people using our resolvers use our CPE, our lines, our servers….
> And the rest doesn’t even have access.
> Obviously, Mahdi is running a a shop that is a bit larger than ours.

if they are real clients beating you to death with junk queries that all 
return nxdomain, you can still win with rrl. less frequent nxdomain 
responses will cause the apps to get less work done because they are 
waiting on you. thus it will slow the rate of junk queries.

this is exactly the problem that makes me recommend running a local rdns 
on every LAN, or at least every house/building/campus, and in my case, 
on every laptop. i need fast negative responses and i don't want to pay 
in upstream bandwidth, or work flow delay, to get them.

P Vixie

More information about the Unbound-users mailing list