You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Current behavior
There is no auto mitigation for attacked domain in case DNSEec is off. unwanted-reply-threshold only can flush caches - it is bad in all cases.
Describe the desired feature
unbound can detect non queried answers and mark domains from answers as attacked in cache.
Then renew time is come unbound can check "attacked" flag and if it set - send queries via TCP first.
Also some rate limit and expire time for this flag should exist to not thread every non queried answer as attack.
Attack flag should expire after some time.
It is some extension for unwanted-reply-threshold option.
Potential use-case
In case DNSSec is off there is only few options to mitigate unwanted-reply~s cache poisoning like use-caps-for-id.
The text was updated successfully, but these errors were encountered:
Current behavior
There is no auto mitigation for attacked domain in case DNSEec is off.
unwanted-reply-threshold
only can flush caches - it is bad in all cases.Describe the desired feature
unbound can detect non queried answers and mark domains from answers as attacked in cache.
Then renew time is come unbound can check "attacked" flag and if it set - send queries via TCP first.
Also some rate limit and expire time for this flag should exist to not thread every non queried answer as attack.
Attack flag should expire after some time.
It is some extension for
unwanted-reply-threshold
option.Potential use-case
In case DNSSec is off there is only few options to mitigate unwanted-reply~s cache poisoning like
use-caps-for-id
.The text was updated successfully, but these errors were encountered: