[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"

Tony Finch dot at dotat.at
Fri Sep 2 12:33:08 UTC 2016

Georg Kahest <georg.kahest at internet.ee> wrote:
> Actually the original article from neustrar glances the correct solution :
> Best Practices for Mitigation –For organizations that rely on DNSSEC,
> Neustar recommends ensuring that your DNS provider does not respond to
> “ANY” queries or has a mechanism in place to identify and prevent misuse.
> https://www.neustar.biz/about-us/news-room/press-releases/2016/dnssec

Dropping responses is likely to cause problems with legitimate ANY
queries. A better solution is
(e.g. the minimal-any option in BIND 9.11).

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
South Fitzroy: Northerly or northeasterly 4 or 5 occasionally 6 for a time ,
but variable 4 in west. Moderate. Fog patches in east. Moderate or good,
occasionally very poor in east.

More information about the dns-operations mailing list