[dns-operations] A Deep Dive Into DNS Packet Sizes: Why Smaller Packet Sizes Keep The Internet Safe

Warren Kumari warren at kumari.net
Mon Mar 21 23:20:20 UTC 2016


On Mon, Mar 21, 2016 at 11:24 AM Tony Finch <dot at dotat.at> wrote:

> Paul Vixie <paul at redbarn.org> wrote:
> > Robertz C. wrote:
> > >
> > >
> https://blog.cloudflare.com/a-deep-dive-into-dns-packet-sizes-why-smaller-packet-sizes-keep-the-internet-safe/
> > >
> > > A nice article. how about your thoughts?
> >
> > that article is significantly wrong-headed, though in a well-meaning way.
> >
> > i wrote several extensive comments on the blog itself, which i won't copy
> > here.
>
> Damian Menscher's comment is helpful:
>
> https://blog.cloudflare.com/a-deep-dive-into-dns-packet-sizes-why-smaller-packet-sizes-keep-the-internet-safe/#comment-2578422987
>
> I have seen the kind of attack traffic he describes. My authoritative
> servers were getting ANY queries from a large number of recursive servers.
> Evidently the attackers were using lots of recursive servers as reflection
> amplifiers - enough of them that the traffic on my authoritative servers
> became a problem. And RRL didn't block the traffic because it is not
> designed to do that.
>
> To mitigate the attack I implemented draft-ietf-dnsop-refuse-any (link
> below) which stopped the recursive servers from switching to TCP (reducing
> the rec/auth load) and which also made my domains much less useful as
> recursive amplifiers.
>
> I'm grateful to Cloudflare for talking about this problem, because the
> discussion about draft-ietf-dnsop-refuse-any meant I knew how to mitigate
> the attack without having to invent my own half-arsed blocking rules.
>
>
> https://git.csx.cam.ac.uk/x/ucs/ipreg/bind9.git/commitdiff/03b54c557b19652c4abd8561f572a370b54b096e


Nice. Much respect.
W


>
>
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h
> punycode
> Northwest Fitzroy: Northeasterly 4 or 5 becoming variable 3 or 4. Moderate.
> Fair. Good.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160321/cecaef0b/attachment.html>


More information about the dns-operations mailing list