[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
Roland Dobbins
rdobbins at arbor.net
Sat Sep 3 18:13:02 UTC 2016
On 4 Sep 2016, at 0:59, P Vixie wrote:
> Yes! In fact 1:1 at the packet level is enough for effective ddos,
> even if it's attenuative at the octet level.
>
> This is why DNS RRL attenuates at both the packet and octet levels.
>
> The proponents of blocking ANY have not modeled the attackers' goals,
> nor their alternatives.
>
> Blocking ANY is silly.
+1 to all.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the dns-operations
mailing list