Google DNS intermittent ServFail for Disney subdomain

David Conrad drc at virtualized.org
Sun Oct 22 16:23:12 CST 2017


Damian,

Pragmatically speaking, I strongly suspect the increase in valid queries to authoritative servers even if all “large recursive resolvers” went away would be lost in noise of the overcapacity necessary to deal with even a lower-end DDoS attack.

Perhaps more interestingly, if said recursive resolvers on home routers would implement DNSSEC with RFC 8198 (and the owners of the authoritative zones would sign those zones), an entire class of DDoS attack would be mitigated. Further, if said recursive resolvers also implemented RFC 7706, latency to the root would be reduced and the risk of to the network behind that recursive resolver of a DDoS against the root of the DNS would be removed.

Regards,
-drc

On Oct 22, 2017, 12:00 AM -0700, Damian Menscher via NANOG <nanog at nanog.org>, wrote:
> On Fri, Oct 20, 2017 at 6:29 AM, Filip Hruska <fhr at fhrnet.eu> wrote:
>
> > Would be great if makers of home routers would implement full recursive
> > DNS resolvers
> > instead of just forwards in their gear.
>
>
> Ignoring the latency impact of your proposal, I wonder what would happen to
> the world's authoritative servers if all users hit them directly rather
> than going through large recursive resolvers that do caching? I'm guessing
> it wouldn't be pretty.
>
> Damian


More information about the NANOG mailing list