[dns-operations] A Deep Dive Into DNS Packet Sizes: Why Smaller Packet Sizes Keep The Internet Safe

Tony Finch dot at dotat.at
Mon Mar 21 14:57:13 UTC 2016

Paul Vixie <paul at redbarn.org> wrote:
> Robertz C. wrote:
> >
> > https://blog.cloudflare.com/a-deep-dive-into-dns-packet-sizes-why-smaller-packet-sizes-keep-the-internet-safe/
> >
> > A nice article. how about your thoughts?
> that article is significantly wrong-headed, though in a well-meaning way.
> i wrote several extensive comments on the blog itself, which i won't copy
> here.

Damian Menscher's comment is helpful:

I have seen the kind of attack traffic he describes. My authoritative
servers were getting ANY queries from a large number of recursive servers.
Evidently the attackers were using lots of recursive servers as reflection
amplifiers - enough of them that the traffic on my authoritative servers
became a problem. And RRL didn't block the traffic because it is not
designed to do that.

To mitigate the attack I implemented draft-ietf-dnsop-refuse-any (link
below) which stopped the recursive servers from switching to TCP (reducing
the rec/auth load) and which also made my domains much less useful as
recursive amplifiers.

I'm grateful to Cloudflare for talking about this problem, because the
discussion about draft-ietf-dnsop-refuse-any meant I knew how to mitigate
the attack without having to invent my own half-arsed blocking rules.


f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Northwest Fitzroy: Northeasterly 4 or 5 becoming variable 3 or 4. Moderate.
Fair. Good.

More information about the dns-operations mailing list