[dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Paul Vixie paul at redbarn.org
Sun Jun 10 14:18:36 UTC 2012


On 2012-06-10 10:29 AM, sthaug at nethelp.no wrote:
>> Clue appreciated, thanks!
> One word: qmail. Google "qmail dns any query".

thinking about or acting against ANY is bad infosec economics. any
investment along those lines is wasted, since ANY is merely the low
hanging fruit, and an attacker need only switch over to TXT or RRSIG or
NSEC to get a similar amplification effect from an authoritative name
server, if ANY were widely nonresponsive.

good infosec economics means the bad guy has a larger investment to make
in order to reach the next round than you had to make to exit the last
round.

to that end, vernon schryver and i have been exploring rate limiting in
BIND 9. there's a patch available, which i've so far offered only to
anyone whose server is currently getting abused. what i'm worried about
is that our profile for goodput-vs-badput is wrong headed or too course
grained. so far so good.

config {
    // ...
        rate-limit {
                responses-per-second 5;
                window 5;
        };
};

paul




More information about the dns-operations mailing list