[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
Jim Reid
jim at rfc1035.com
Mon Sep 5 15:39:17 UTC 2016
> On 5 Sep 2016, at 15:47, Damian Menscher <damian at google.com> wrote:
>
> 1) Bypassing ANY is trivial for the attacker, as they can switch to TXT or any other record.
Not quite. An attacker can of course easily switch from ANY queries to whatever qtype they choose. This probably won't produce as big a bang for their buck because the response payload for that qtype is unlikely to be as chunky as an ANY response. Or they might only get a NOHOST or NXDOMAIN if there’s no TXT (say) record for the qname.
Just FYI, here are the response sizes for queries to the root for a random selection of qtypes:
ANY 2047
NS 783
SOA 640
DNSKEY 450
RRSIG 1471
TXT 103 (NOHOST)
MX 103 (NOHOST)
More information about the dns-operations
mailing list