[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Roland Dobbins rdobbins at arbor.net
Sat Sep 3 18:13:02 UTC 2016


On 4 Sep 2016, at 0:59, P Vixie wrote:

> Yes! In fact 1:1 at the packet level is enough for effective ddos, 
> even if it's attenuative at the octet level.
>
> This is why DNS RRL attenuates at both the packet and octet levels.
>
> The proponents of blocking ANY have not modeled the attackers' goals, 
> nor their alternatives.
>
> Blocking ANY is silly.

+1 to all.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>



More information about the dns-operations mailing list