[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Roland Dobbins rdobbins at arbor.net
Sat Sep 3 17:07:24 UTC 2016

On 3 Sep 2016, at 23:30, Shane Kerr wrote:

> Setting "minimal-responses" in BIND 9's named.conf should fix this.

Paul's real point is that just about any (heh) DNS record can be used 
for some degree of reflection/amplification.

A corollary is that most reflection/amplification attacks - in point of 
fact, most DDoS attacks in general - are gratuitous examples of 
overkill.  1:1 reflection alone would meet the obfuscatory needs of most 
attackers and still get the job done conformant to requirements.

Roland Dobbins <rdobbins at arbor.net>

More information about the dns-operations mailing list