[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Dave Warren davew at hireahit.com
Mon Sep 5 06:52:17 UTC 2016

On Sun, Sep 4, 2016, at 22:56, Shane Kerr wrote:
> Operators have pointed out many times that blocking ANY seems to help
> them in practice. DNS folks have pointed out many times that this is
> not a good defense because there are other ways to achieve
> amplification. For a scientist it's an interesting question why blocking
> ANY seems to help even though it is straightforward to get large
> responses via other means. For an engineer it is less important - do
> what works, especially if it is cheap & easy with no drawbacks. :)

I think it's the "no drawbacks" that is a point of contention. The
drawback is the loss of ANY functionality, which is quite useful to

More information about the dns-operations mailing list