[dns-operations] responding to spoofed ANY queries

Paul Wouters paul at cypherpunks.ca
Thu Jan 10 15:00:12 UTC 2013

On Thu, 10 Jan 2013, Jim Reid wrote:

> IMO, responding to these spoofed queries is a Bad Idea.

Not responding is worse.

- valid recursors will just retry

- valid recursors might conclude the auth server is slow/bad/unreachable and avoid it for legitimate
queries as well.

> The BIND RRL patch -- just reply to one in a thousand (say) of the bogus queries -- is perhaps the best defence. Though it's not the only one.

It's a _much_ better defense.

> It would be nice if ANY queries just got thrown away.

No it would not be. Just like a totally mangled packet still gets an
answer. You want legitimate resolvers to stop retrying their bogus

Additionally, once ANY queries would be dropped, attackers would move to
requesting NSEC3 answers or CNAME/DNAME chains.


More information about the dns-operations mailing list