[dns-operations] EDNS vs DDOS scrubbing - was Re: Nice to see Amazon Route 53 remove the EDNS(1) filters for *.co.uk.
Joe Abley
jabley at hopcount.ca
Wed May 27 13:21:15 UTC 2015
On 27 May 2015, at 13:00, Mark Andrews wrote:
> No. Just "different query - must be bad". "Different query - don't
> know what to do -> drop" from firewall vendors.
For an enterprise, given that there's no defined use, format (and
therefore need) for EDNS(1), if your security posture is "default deny,
accept what we know we need" then dropping DNS messages with EDNS(1)
seems like exactly the right thing to do, doesn't it?
I understand the point that this posture makes future development and
deployment of EDNS(1) hard. I understand why that's a pain for protocol
development in the DNS. You don't have to explain either of those things
to me. (Just saying.)
But it's not like anybody is going to succeed in getting an enterprise
or their firewall vendor to say yes when the request they are hearing is
"can you please open up this hole for an experimental protocol that
nobody apart from me knows anything about, so that I can play with it".
Remember, these are the people that think ICMP is a security risk.
Joe
More information about the dns-operations
mailing list