[dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?

Vernon Schryver vjs at rhyolite.com
Thu Sep 27 18:22:16 UTC 2012

>   DNS DDoS amplifier resistance: as a thought, would it be a reasonable
>   step, not hurting interop, to have an authoritative DNS server process
>   a UDP-based ANY query by including, at most, an MX and any A responses
>   in the ANSWER section and setting the TrunCated bit of the response if
>   there were any other records skipped?

Try some experiments to see if what kind of amplification you can get
without ANY.  I see about 20X from `dig +dnssec asadfasdf.com`

If your defenses handle non-ANY attacks, then what do you gain from
doing anything about in particular about ANY except more code, more
bugs, more CPU cycles, and fewer queries/second?

Doing any special for ANY queries makes as little sense as filtering
all ICMP packets.

Why is it that so much of computer security is based on the insane
assumption that everyone else and especially adveraries are stupid?
"There is always an easy solution to every human problem--neat,
plausible, and wrong."  --H. L. Mencken"

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list