[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
Dave Warren
davew at hireahit.com
Mon Sep 5 06:52:17 UTC 2016
On Sun, Sep 4, 2016, at 22:56, Shane Kerr wrote:
> Operators have pointed out many times that blocking ANY seems to help
> them in practice. DNS folks have pointed out many times that this is
> not a good defense because there are other ways to achieve
> amplification. For a scientist it's an interesting question why blocking
> ANY seems to help even though it is straightforward to get large
> responses via other means. For an engineer it is less important - do
> what works, especially if it is cheap & easy with no drawbacks. :)
I think it's the "no drawbacks" that is a point of contention. The
drawback is the loss of ANY functionality, which is quite useful to
humans.
More information about the dns-operations
mailing list