[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"
Tony Finch
dot at dotat.at
Mon Sep 5 09:27:48 UTC 2016
Paul Vixie <paul at redbarn.org> wrote:
>
> blocking ANY wastes your time and annoys the pig. only protocol aware rate
> limiting, for example DNS RRL, will keep your authority server from being an
> attractive reflecting amplifier.
RRL and minimal-any mitigate different kinds of attacks.
minimal-any is useful for query floods from legitimate clients (e.g. if a
bunch of recursive servers are being used as amplifiers) because it avoids
pushing queries to TCP and overloading the authoritative server.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
South Biscay, Southeast Fitzroy: Variable 4, becoming northeasterly 5 or 6
later in Fitzroy. Moderate. Mainly fair. Good, occasionally poor.
More information about the dns-operations
mailing list