[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

P Vixie paul at redbarn.org
Sat Sep 3 17:59:00 UTC 2016

Yes! In fact 1:1 at the packet level is enough for effective ddos, even if it's attenuative at the octet level.

This is why DNS RRL attenuates at both the packet and octet levels.

The proponents of blocking ANY have not modeled the attackers' goals, nor their alternatives.

Blocking ANY is silly.


On September 3, 2016 10:07:24 AM PDT, Roland Dobbins <rdobbins at arbor.net> wrote:
>On 3 Sep 2016, at 23:30, Shane Kerr wrote:
>> Setting "minimal-responses" in BIND 9's named.conf should fix this.
>Paul's real point is that just about any (heh) DNS record can be used 
>for some degree of reflection/amplification.
>A corollary is that most reflection/amplification attacks - in point of
>fact, most DDoS attacks in general - are gratuitous examples of 
>overkill.  1:1 reflection alone would meet the obfuscatory needs of
>attackers and still get the job done conformant to requirements.
>Roland Dobbins <rdobbins at arbor.net>
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>dns-operations mailing list

Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160903/1d39c346/attachment.html>

More information about the dns-operations mailing list