[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Jim Reid jim at rfc1035.com
Mon Sep 5 15:39:17 UTC 2016

> On 5 Sep 2016, at 15:47, Damian Menscher <damian at google.com> wrote:
> 1) Bypassing ANY is trivial for the attacker, as they can switch to TXT or any other record.

Not quite. An attacker can of course easily switch from ANY queries to whatever qtype they choose. This probably won't produce as big a bang for their buck because the response payload for that qtype is unlikely to be as chunky as an ANY response. Or they might only get a NOHOST or NXDOMAIN if there’s no TXT (say) record for the qname.

Just FYI, here are the response sizes for queries to the root for a random selection of qtypes:

ANY	2047
NS	783
SOA	640
RRSIG	1471

More information about the dns-operations mailing list