[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"

Paul Vixie paul at redbarn.org
Fri Sep 2 17:24:58 UTC 2016

i'm not shooting the messenger, but...

Georg Kahest wrote:
> Actually the original article from neustrar glances the correct solution
> :
> Best Practices for Mitigation –For organizations that rely on DNSSEC,
> Neustar recommends ensuring that your DNS provider does not respond to
> “ANY” queries or has a mechanism in place to identify and prevent misuse
> .
> https://www.neustar.biz/about-us/news-room/press-releases/2016/dnssec

...that's just silly. from the command:

dig @h.gtld-servers.net does_not_exist.com a +dnssec

...we know that dnssec referrals from an NSEC3 zone are 600 octets in 
size. whereas from the command:

dig @h.gtld-servers.net does-not-exist.com a +dnssec

...we know that dnssec negative responses are ~1000 octets in size.

(note differences between hyphen (-) and underscore (_) above.)

blocking ANY wastes your time and annoys the pig. only protocol aware 
rate limiting, for example DNS RRL, will keep your authority server from 
being an attractive reflecting amplifier.

P Vixie

More information about the dns-operations mailing list