摘要 |
The present disclosure is directed to the reduction of denial of service, DoS, attacks against dynamically generated next secure, NSEC, records. A domain name system, DNS, proxy (602) prevents spoofed IP addresses by forcing clients (600) to transmit DNS queries via transmission control protocol, TCP, by replying (626) to a user datagram protocol, UDP, DNS request (620) with a blank or predetermined resource record with a truncation bit set to indicate that the record is too large to fit within a single UDP packet payload. Under the DNS specification, the client must re-transmit the DNS request via TCP. Upon receipt (634) of the retransmitted request via TCP, the DNS proxy generates (640) fictitious neighbor addresses and a signed NSEC record and transmits (642) the record to the client. Accordingly, the DNS proxy need not waste resources generating and signing records for requests from spoofed IP addresses via UDP. |