[dns-operations] Restrict ANY query to TCP ? Re: Why would an MTA issue an ANY query instead of an MX query?

Matthew Pounsett matt at conundrum.com
Mon Jun 11 19:12:35 UTC 2012

On 2012/06/11, at 13:57, Thomas Dupas wrote:

> Well, partly from what I see.
> Posts from yesterday already mentioned that many sources are not spoofed for the actual query the nameserver sees.
> If I look at our logs I see that most of the any queries come from north-america, not china. They use spoofed source ip's to reach the cpe, but the cpe queries towards the nameserver aren't spoofed.
> Forcing any queries to tcp won't change that.

The vast majority of DoS-scale ANY queries we (Afilias) see are spoofed, generating attacks against a third party.

On 2012/06/11, at 13:46, Olafur Gudmundsson wrote:

> how about much simpler configuration option to force all
> any queries to be reissued over TCP,
> 	restrict-any-udp  "yes/no";

Because that only solves the problem of ANY queries.  If they were forced over TCP, then the next easiest attack vector is spoofed DNSKEY queries.   (source,query,answer) tuple rate limiting handles the entire attack method, not just a single qtype.

More information about the dns-operations mailing list