[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"
Georg Kahest
georg.kahest at internet.ee
Mon Sep 5 07:40:27 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 09/02/2016 03:33 PM, Tony Finch wrote:
> Georg Kahest <georg.kahest at internet.ee> wrote:
>>
>> Actually the original article from neustrar glances the correct
>> solution :
>>
>> Best Practices for Mitigation –For organizations that rely on
>> DNSSEC, Neustar recommends ensuring that your DNS provider does
>> not respond to “ANY” queries or has a mechanism in place to
>> identify and prevent misuse.
>>
>> https://www.neustar.biz/about-us/news-room/press-releases/2016/dnssec
>
>>
> Dropping responses is likely to cause problems with legitimate ANY
> queries. A better solution is
> https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any (e.g. the
> minimal-any option in BIND 9.11).
>
> Tony.
>
I totaly agree that you shouldnot drop ANY queries, i was actualy
reffering to the other part of the sentence: "or has a mechanism in
place to identify and prevent misuse."
The infoworld article didnot mention anything about the second part of
the sentence.
Only sad part is that they didnot say it out loud that most dns
software can RRL requests rather then blindly block ANY.
- --
Georg Kahest
System Administrator / Süsteemiadministraator
Eesti Interneti SA Paldiski mnt 80, 10617 Tallinn
Tel 727 1016 Mobiil 58 50 35 64
www.internet.ee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXzSFqAAoJEFDOdES6xIFjQ48P+waWJldaOZ13ClXqSpWorZ1w
VzOWm9peXBes6H5jFDsIkKYO6dE8xqSN7KLuFua6hiU+M1U10Y9mJWv+Tu0zdetf
YHcpsXBpodABLpZTiAaiEuT3QFbYpPy7QNVmUpWX+9j3bmEPM69HUqM6SeKf7N1M
aXP8/+bH7dJWyLaDugI5XewnzFqQU2epw3i0OvjsZSTwNmkGZ0NTU1cNqYcdzw/p
HZiH3ZdcH/us/ZLJIv/UpsKLi8DX7IG8oH/FdcQNvThclOzEUNPLF3vs6mNAy1fU
lL7n7TCBA7eTQh1OT3Xs7xC2tOrx68leF7oo4DCHs19R5avIesaeMcecBFcP+DoL
AJXndYcE3DkDDhXpx2c3c/NsIZcoDsHZGB4FB//UAlEIgTc1NYcsdt7sPDzqDnn1
rdy7fo0SybWWAZjLJRM/g2i/BjOFWuJu2IqSpO/K2SM1t9aZx+58mwJ+plyJuIff
wvd15ydhxFOA8K+/Tb4ifVequBdjJPHCrQ6FbgzwqIDJoP+mhL5Hc1EjPJUqltj5
ef42kjaszROJP/j+4oS4DhHztaMYPmNy9FuY2VZtNyixxVT1dXIXtgyeLiPcu/8m
AozERTXVu6DYd4MCfoM0ajET3Z6POH3Wk30ivS7T8IfxGXKDtDcMfAu9CHEnjl2v
Nr14QWD5jn0Db4aP/L0F
=8lB7
-----END PGP SIGNATURE-----
More information about the dns-operations
mailing list