[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Paul Vixie paul at redbarn.org
Mon Sep 5 07:33:06 UTC 2016

Shane Kerr wrote:
> * DNS Gurus become enraged.
> It's that very last step that confuses me.

let me start from the beginning.

this kind of continuous low-grade non-kinetic warfare is actually a form 
of economics. there will be no decisive victory or loss for anybody -- 
no matter what, the defenders will continue to defend, and the attackers 
will continue to attack, and each will whenever necessary seek new 
methods, and each will whenever possible drive their own costs down and 
benefits up, and/or drive the other's costs up and benefits down.

when you as a defender block ANY you incur some cost in complexity and 
time. that cost is less than the attacker's projected costs of changing 
to some other RR type. (likely a one-line change to their python script.)

saying that this "works" is self-deceptive.

recommending that others do likewise is enragingly others-deceptive.

> I mean, an attacker can defeat RRL as well, but I don't see repeated
> attempts to convince people not to use RRL.

bypassing RRL is not a one line change to a python script. do the math 
and use that math to support an economic model that compels some kind of 
action (or inaction).

RRL was specifically designed to be "good enough that it's easier for an 
attacker to choose a different method altogether than to tune the method 
they had." if you're not doing at least that much homework, then your 
solution is silly.

blocking ANY is silly.

P Vixie

More information about the dns-operations mailing list