[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"
Tony Finch
dot at dotat.at
Fri Sep 2 12:33:08 UTC 2016
Georg Kahest <georg.kahest at internet.ee> wrote:
>
> Actually the original article from neustrar glances the correct solution :
>
> Best Practices for Mitigation –For organizations that rely on DNSSEC,
> Neustar recommends ensuring that your DNS provider does not respond to
> “ANY” queries or has a mechanism in place to identify and prevent misuse.
>
> https://www.neustar.biz/about-us/news-room/press-releases/2016/dnssec
Dropping responses is likely to cause problems with legitimate ANY
queries. A better solution is
https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any
(e.g. the minimal-any option in BIND 9.11).
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
South Fitzroy: Northerly or northeasterly 4 or 5 occasionally 6 for a time ,
but variable 4 in west. Moderate. Fog patches in east. Moderate or good,
occasionally very poor in east.
More information about the dns-operations
mailing list