[dns-operations] Software that refuses an answer by QTYPE if it comes over plain UDP?
Mac Innes, Kiall
kiall at hpe.com
Tue Mar 15 16:41:09 UTC 2016
On 15/03/16 15:16, Tony Finch wrote:
> Doug Barton <dougb at dougbarton.email> wrote:
>> Are there any name servers in play today that will only answer for a certain
>> QTYPE if the query comes via either TCP, or UDP with cookies?
> Not a direct answer, but your question made me think about
> https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any
>
> and I soon realised that the behaviour you imply will not be helpful in
> some situations. In particular, if you are getting QTYPE=ANY attack
> traffic from a lot of legitimate resolvers (that implement cookies and
> TCP) because clients of those resolvers are participating in an attack,
> you still want to minimize your answers. http://fanf.livejournal.com/140566.html
Along these lines, CloudFlare have talked about their handling of
qtype=ANY[1], and mentioned this:
> Disabling or throttling ANY is not unprecedented. UltraDNS disabled
them briefly in 2013 with little impact visible to Internet users. A
number of operators have refused to answer ANY queries over UDP, forcing
the traffic to TCP, with the side effect that forged ANY queries are not
amplified.
[1]: https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/
Thanks,
Kiall
More information about the dns-operations
mailing list