[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
Marco Davids (SIDN)
marco.davids at sidn.nl
Wed Jun 22 09:31:50 UTC 2011
On 06/22/11 09:38, Stephane Bortzmeyer wrote:
> Is there somewhere an existing list of practices which can be used by
> authoritative DNSSEC name servers to mitigate the problem? We use nsd
> and BIND which, as far as I know, have no rate-limiting
> features. Other ideas?
I always wondered why there is no option to disable ANY-queries on an
authoritative server.
Unless I am missing something here, it should be safe to return a
REFUSED for them (I was told that Postfix is using them for some obscure
reason, so maybe I am talking rubbish here).
In any case, disallowing ANY-queries *might* perhaps be considered in
the combat against DNSSEC based amplification attacks.
Regards,
--
Marco
More information about the dns-operations
mailing list