[sdnog] DNS servfail vs nxdomain

[Daniel Shaw]

Nope, I didn't explain well :)

SRVFAIL = "a name server that should reply, failed. It did not reply."
It's already failed. It's not running, it's network is down, or indeed it's already being DDoS-ed.

It may or may not be your name server. All this means is:
You asked the global DNS for the answer to a DNS query. Nothing could reply. For some reason. Which means something somewhere is broken.
Yes, it is true that if a caching resolver gets an SRVFAIL from one NS, it will retry a bit, and then try another and so on.

As an end user, if another NS replies, you may never see the initial SRVFAIL. You'd get a valid response, just have some delay in getting the reply.

Normally, if you actually get back an SRVFAIL, it means *no* nameservers replied. In other words, things are pretty bad! :)

Of course if you query an authoritative name server directly yourself, then all you are testing is that one server. There is no retrying. And there is no caching in any case.

Securing against DDoS is a whole new thread! :)



-------- Original Message --------
Subject: Re: [sdnog] DNS servfail vs nxdomain
Local Time: January 12, 2017 12:37 PM
UTC Time: January 12, 2017 8:37 AM
From: samir.saif at sudren.edu.sd
To: Daniel Shaw <danielshaw at protonmail.com>
Sudan NOG <sdnog at sdnog.sd>


Hi Daniel

if SRVFAIL is not cached because there is no reply which I assume this will also mean that it will have the caching server wait until it timeout which might cause performance issues.
so how to properly secure my server if I faced a DDOS attack of this type ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sdnog.sd/pipermail/sdnog/attachments/20170112/be2199c6/attachment.html>