[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
Marco Davids (SIDN)
marco.davids at sidn.nl
Wed Jun 22 10:00:34 UTC 2011
On 06/22/11 11:38, Stephane Bortzmeyer wrote:
>> I always wondered why there is no option to disable ANY-queries on
>> an authoritative server.
>
> For .FR, a query on DNSKEY (the largest one) elicits a response which
> is 60 % of the size of the ANY response (for .NL, it is more like
> 40 %). I wonder if it is sufficient mitigation.
Are you saying that, with ANY-queries blocked, a hacktivist would need a
roughly twice as large botnet to be equally effective?
;-)
-
Marco
More information about the dns-operations
mailing list