[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
Roland Dobbins
rdobbins at arbor.net
Sat Sep 3 17:07:24 UTC 2016
On 3 Sep 2016, at 23:30, Shane Kerr wrote:
> Setting "minimal-responses" in BIND 9's named.conf should fix this.
Paul's real point is that just about any (heh) DNS record can be used
for some degree of reflection/amplification.
A corollary is that most reflection/amplification attacks - in point of
fact, most DDoS attacks in general - are gratuitous examples of
overkill. 1:1 reflection alone would meet the obfuscatory needs of most
attackers and still get the job done conformant to requirements.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the dns-operations
mailing list