[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Roland Dobbins rdobbins at arbor.net
Sun Sep 4 03:23:06 UTC 2016

On 4 Sep 2016, at 8:42, Damian Menscher wrote:

> At that point the attacker could just hit the victim
> directly.

That's the whole point of reflection - to do so *indirectly*, heh.

> RRL applied at authoritative servers doesn't accomplish anything -- 
> all amplification attacks reflect off recursive resolvers, not 
> authoritative
> servers.

Actually, quite a bit of DNS reflection/amplification is direct from the 
initiators to the reflectors/amplifiers (in this case, the authoritative 
servers).  There are essentially two variants of DNS 
reflection/amplification - one involving a tier of open recursors, the 
other not utilizing them.

RRL on the authoritatives being used helps in either scenario.

Roland Dobbins <rdobbins at arbor.net>

More information about the dns-operations mailing list