[dns-operations] responding to spoofed ANY queries

Jim Reid jim at rfc1035.com
Thu Jan 10 09:48:25 UTC 2013

On 10 Jan 2013, at 07:11, Florian Weimer <fw at deneb.enyo.de> wrote:

> Some breakage is unavoidable.  Considering that ANY queries rarely
> give the results expected by the sender, refusing them outright makes
> sense to me.


IMO, responding to these spoofed queries is a Bad Idea. After all, the object of the attack is to flood the victim and/or your server's outbound link(s) with unwanted traffic. It makes little sense to go along with that. Returning a TC=1 to force a fall back to TCP is all very well. However it still means sending a response to a probably spoofed IP address for a bogus query.

The BIND RRL patch -- just reply to one in a thousand (say) of the bogus queries -- is perhaps the best defence. Though it's not the only one.

It would be nice if ANY queries just got thrown away. I can live with the breakage that causes. YMMV. However if there was something that generally blocked or discarded ANY queries, the bad guys would switch to some other QTYPE that can't be blocked without causing significant operational problems.

More information about the dns-operations mailing list