[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Marco Davids (SIDN) marco.davids at sidn.nl
Wed Jun 22 10:00:34 UTC 2011

On 06/22/11 11:38, Stephane Bortzmeyer wrote:

>> I always wondered why there is no option to disable ANY-queries on
>> an authoritative server.
> For .FR, a query on DNSKEY (the largest one) elicits a response which
> is 60 % of the size of the ANY response (for .NL, it is more like
> 40 %). I wonder if it is sufficient mitigation.

Are you saying that, with ANY-queries blocked, a hacktivist would need a
roughly twice as large botnet to be equally effective?



More information about the dns-operations mailing list