[dns-operations] DNS ANY requests from Amazon?

[Vernon Schryver]

> From: "Dobbins, Roland" <rdobbins at arbor.net>

> Sure, but RRL isn't the issue; it's all the rest of what 'application
> firewalls' do which causes them to choke.  I've yet to see one which
> doesn't choke under even moderate DDoS, and have never seen one which
> implements any form of classification in a stateless or minimized-state
> manner.

It's well known that Roland Dobbins doesn't think much of application
firewalls or stateful firewalls in general.  I also don't think much
of application firewalls, and not only because the FUD that is much
of their brochures, the never ending broken vendor promises, or the
exaggerated performace.  I've been grumbling since tcp wrappers first
appeared that application firewalls are usually poor bandaids for
stupid application security holes that could (and should) be more
securely and cheaply fixed in the applications.

But all of those criticisms are irrelevant to what hypothetical firewalls
might do for current and foreseeable DNS security issues.  That currently
popular firewalls can't cope or do only stupid stuff like ANY filtering
doesn't justify rejecting firewalls for reflection attacks on principle.

Besides, DoS attacks on DNS servers themselves (as opposed to using
DNS servers to attack others) are best handled outside in smart (e.g.
sane state table management) application firewalls.  It's not good for
a DNS server to discard excessive (relative to the server's own
resources) requests.  By the time a request can be discarded by the
server, too many local resources have been burned.


Vernon Schryver    vjs at rhyolite.com