[dns-operations] responding to spoofed ANY queries

sthaug at nethelp.no sthaug at nethelp.no
Thu Jan 10 13:10:58 UTC 2013


> > It would be nice if ANY queries just got thrown away. I can live with the
> breakage that causes. YMMV. However if there was something that generally
> blocked or discarded ANY queries, the bad guys would switch to some other
> QTYPE that can't be blocked without causing significant operational
> problems.
> >
> > _______________________________________________
> 
> What makes you think they won't? I mean, isn't this a classic mistake of
> cold war defense modelling, that you assume your enemy will use weapons you
> can confidently defend against and ignore the ones you suspect you cannot?
> 
> ANY has good amplification. If its not working, they surely will move to
> others. Or both. And if it is working they may move to others anyway.

The bad guys are *already* using other tools than ANY queries - for
instance, I have seen quite a few amplification attacks based on TXT
queries.

There's nothing new under the sun...

Steinar Haug, AS 2116



More information about the dns-operations mailing list