[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Casey Deccio casey at deccio.net
Sun Sep 4 02:34:06 UTC 2016

> On Sep 3, 2016, at 9:42 PM, Damian Menscher <damian at google.com> wrote:
> ... RRL applied at authoritative servers doesn't accomplish anything -- all amplification attacks reflect off recursive resolvers, not authoritative servers.

No - authoritative servers servers are certainly also used.

> I do agree that blocking ANY doesn't achieve much (I've seen amplification via TXT and even A records), but think we're wasting time arguing blocking ANY vs deploying RRL vs minifying responses vs getting rid of open recursive resolvers.  The real answer is to insist transit providers perform traceback and filter their abusive customers.  It's just a matter of providing them the right incentives....

The DNS-based reflection/amplification attacks have similar results, but the attack mechanisms vary.  We have several tools at our disposal, and some are more effective than others, depending on the attack mechanism employed.  However, if two mechanisms operate independent of one another, then the effectiveness of one can't be diminished by the non-use of another, even if the other is perhaps more effective.

In other words, blocking at the source is great.  But for any traffic getting through to reflectors (authoritative or recursive) mitigating the effects of amplification at the reflector is useful.

Best regards,

More information about the dns-operations mailing list