[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"
Paul Vixie
paul at redbarn.org
Fri Sep 2 17:24:58 UTC 2016
i'm not shooting the messenger, but...
Georg Kahest wrote:
> Actually the original article from neustrar glances the correct solution
> :
>
>
> Best Practices for Mitigation –For organizations that rely on DNSSEC,
> Neustar recommends ensuring that your DNS provider does not respond to
> “ANY” queries or has a mechanism in place to identify and prevent misuse
> .
>
>
> https://www.neustar.biz/about-us/news-room/press-releases/2016/dnssec
...that's just silly. from the command:
dig @h.gtld-servers.net does_not_exist.com a +dnssec
...we know that dnssec referrals from an NSEC3 zone are 600 octets in
size. whereas from the command:
dig @h.gtld-servers.net does-not-exist.com a +dnssec
...we know that dnssec negative responses are ~1000 octets in size.
(note differences between hyphen (-) and underscore (_) above.)
blocking ANY wastes your time and annoys the pig. only protocol aware
rate limiting, for example DNS RRL, will keep your authority server from
being an attractive reflecting amplifier.
--
P Vixie
More information about the dns-operations
mailing list