[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"

Tony Finch dot at dotat.at
Mon Sep 5 09:27:48 UTC 2016

Paul Vixie <paul at redbarn.org> wrote:
> blocking ANY wastes your time and annoys the pig. only protocol aware rate
> limiting, for example DNS RRL, will keep your authority server from being an
> attractive reflecting amplifier.

RRL and minimal-any mitigate different kinds of attacks.

minimal-any is useful for query floods from legitimate clients (e.g. if a
bunch of recursive servers are being used as amplifiers) because it avoids
pushing queries to TCP and overloading the authoritative server.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
South Biscay, Southeast Fitzroy: Variable 4, becoming northeasterly 5 or 6
later in Fitzroy. Moderate. Mainly fair. Good, occasionally poor.

More information about the dns-operations mailing list