[dns-operations] DNS deluge for x.p.ctrc.cc
Mark_Andrews at isc.org
Mon Feb 27 21:39:31 UTC 2006
> > On Mon, Feb 27, 2006 at 12:20:28AM +0000, Paul Vixie wrote:
> > > # What other applications using larger packets would it break?
> > >
> > > responses containing AAAA RR's are one example. RFC 2671 was not written
> > > pointlessly, or at least i hope (as its author) that it wasn't pointless.
> > What about query size limit. At least for servers, or any host for
> > that matter, that would never receive DNS answers itself (e.g. in the
> > case of an authoritative only server), would limiting packets to 512
> > filter something potentially legitimate?
> > I realize this doesn't particularly help most victims in the wave of
> > attacks being discussed here, there have been attacks that shower 4KB
> > answers at hosts that should never be getting those answers.
> > Yes, I realize filtering at this granular level this is just a
> > band-aid. Just curious in understanding what limitations there might
> > be on questions.
> And, from the answer side of things, it is kind of too bad that there is
> no way for a client to signal back "I didn't ask you that question", or
> for a recursing nameserver to do something useful with a port unreach,
It's UDP. You get "port unreach" in normal operations.
> ... JG
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CN
> With 24 million small businesses in the US alone, that's way too many apples.
> dns-operations mailing list
> dns-operations at lists.oarci.net
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations