[dns-operations] EDNS vs DDOS scrubbing - was Re: Nice to see Amazon Route 53 remove the EDNS(1) filters for *.co.uk.
Roland Dobbins
rdobbins at arbor.net
Wed May 27 13:39:13 UTC 2015
On 27 May 2015, at 20:24, Edward Lewis wrote:
> I can accept that ... but are so many doing it so wrong that the
> graphs are headed in the wrong direction?
I don't understand the bases behind the assumption that DDoS scrubbing
services are a factor in EDNS0 failure?
This statement:
On 27 May 2015, at 19:00, Mark Andrews wrote:
>> Yes, EDNS compliance issues have been traced to scrubbing services
>> and firewalls.
Is something that's new to me in terms of DDoS mitigation services - I
personally have never run across this issue in that context. Stateful
firewalls, of course, are a well-known culprit.
Perhaps some of the less clueful DDoS mitigation service operators have
fallen prey to the 'drop all UDP DNS responses > 512 bytes' myth? But
as noted, I personally haven't run into this in the field with regards
to DDoS mitigation services.
Here's an example of how I try to propagandize against this kind of
thing, FWIW (see p.156):
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the dns-operations
mailing list