[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
Roland Dobbins
rdobbins at arbor.net
Sun Sep 4 03:23:06 UTC 2016
On 4 Sep 2016, at 8:42, Damian Menscher wrote:
> At that point the attacker could just hit the victim
> directly.
That's the whole point of reflection - to do so *indirectly*, heh.
> RRL applied at authoritative servers doesn't accomplish anything --
> all amplification attacks reflect off recursive resolvers, not
> authoritative
> servers.
Actually, quite a bit of DNS reflection/amplification is direct from the
initiators to the reflectors/amplifiers (in this case, the authoritative
servers). There are essentially two variants of DNS
reflection/amplification - one involving a tier of open recursors, the
other not utilizing them.
RRL on the authoritatives being used helps in either scenario.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the dns-operations
mailing list