[dns-operations] Storm on the DNS
jared at puck.nether.net
Thu Dec 17 13:48:59 UTC 2015
> On Dec 16, 2015, at 1:49 AM, Roland Dobbins <rdobbins at arbor.net> wrote:
> On 16 Dec 2015, at 13:39, Yonghua Peng wrote:
>> So we have no valid way to defend a spoofed IP attack?
> Yes, we do. The issue is complete traceback to the actual sources of the spoofed packets, through multiple administrative domains run by the ignorant, the inept, and/or the indifferent.
For me, what’s important is having multiple planes available for mitigation:
TCP, UDP, v4, v6.
A server that is able to send/receive queries on all will be better suited to deal with a robust set of events.
Basically: Yes, there is a reason to IPv6 enable your DNS server even if your clients are IPv4 only.
More information about the dns-operations