[dns-operations] responding to spoofed ANY queries
jim at rfc1035.com
Thu Jan 10 10:24:15 UTC 2013
On 10 Jan 2013, at 09:53, George Michaelson <ggm at apnic.net> wrote:
> What makes you think they won't? I mean, isn't this a classic mistake of
> cold war defense modelling, that you assume your enemy will use weapons you
> can confidently defend against and ignore the ones you suspect you cannot?
It would be if that's what I was suggesting. Which isn't the case George. I hoped I was saying that while blocking ANY queries might buy some short term relief, it wouldn't help in the long run. Oh well.
Whatever defences get added to our name servers are going to prolong an arms race. However, to continue with the military analogy, we're fighting the wrong battle in the wrong place with the wrong equipment and the wrong tactics. I'll fight in that battle because it's pretty much the only option open to me.
Things like RRL or kernel firewall setups are all very well. It's good that we have these. But these address the symptoms, not the underlying disease. [Apologies for mixing metaphors.] What's needed IMO is stronger action on BCP38, more help from IXPs and Tier-1s to identify and stop the bogus traffic. High profile arrests that lead to jail time would be good too. I hope we all know this and agree.
More information about the dns-operations