@techreport{li-dnsop-resolver-resilience-02, number = {draft-li-dnsop-resolver-resilience-02}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-li-dnsop-resolver-resilience/02/}, author = {Xiang Li and Yuqi Qiu}, title = {{Best Current Practices for DNS Resolver Resilience Against Coordinated Amplification Attacks}}, pagetotal = 8, year = 2026, month = feb, day = 28, abstract = {This document describes an attack vector, exemplified by the "DNSBomb" attack, that leverages the emergent behavior of several widely- implemented DNS resolver mechanisms. By combining query timeouts, query aggregation, and response timing, an attacker can turn a set of resolvers into powerful amplifiers for a Pulsing Denial-of-Service (PDoS) attack. This attack is difficult to detect due to its low average traffic rate but can be highly effective at overwhelming a target's resources. This document provides operational guidance and a set of best practices for DNS resolver implementers and operators to mitigate this threat. The goal is to harden the DNS ecosystem by reducing the potential for resolvers to be used in such a coordinated fashion, thereby improving the operational resilience of the DNS.}, }