[dns-operations] A Deep Dive Into DNS Packet Sizes: Why Smaller Packet Sizes Keep The Internet Safe

Tony Finch dot at dotat.at
Mon Mar 21 14:57:13 UTC 2016


Paul Vixie <paul at redbarn.org> wrote:
> Robertz C. wrote:
> >
> > https://blog.cloudflare.com/a-deep-dive-into-dns-packet-sizes-why-smaller-packet-sizes-keep-the-internet-safe/
> >
> > A nice article. how about your thoughts?
>
> that article is significantly wrong-headed, though in a well-meaning way.
>
> i wrote several extensive comments on the blog itself, which i won't copy
> here.

Damian Menscher's comment is helpful:
https://blog.cloudflare.com/a-deep-dive-into-dns-packet-sizes-why-smaller-packet-sizes-keep-the-internet-safe/#comment-2578422987

I have seen the kind of attack traffic he describes. My authoritative
servers were getting ANY queries from a large number of recursive servers.
Evidently the attackers were using lots of recursive servers as reflection
amplifiers - enough of them that the traffic on my authoritative servers
became a problem. And RRL didn't block the traffic because it is not
designed to do that.

To mitigate the attack I implemented draft-ietf-dnsop-refuse-any (link
below) which stopped the recursive servers from switching to TCP (reducing
the rec/auth load) and which also made my domains much less useful as
recursive amplifiers.

I'm grateful to Cloudflare for talking about this problem, because the
discussion about draft-ietf-dnsop-refuse-any meant I knew how to mitigate
the attack without having to invent my own half-arsed blocking rules.

https://git.csx.cam.ac.uk/x/ucs/ipreg/bind9.git/commitdiff/03b54c557b19652c4abd8561f572a370b54b096e

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Northwest Fitzroy: Northeasterly 4 or 5 becoming variable 3 or 4. Moderate.
Fair. Good.



More information about the dns-operations mailing list