[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Damian Menscher damian at google.com
Mon Sep 5 15:47:17 UTC 2016

On Mon, Sep 5, 2016 at 8:39 AM, Jim Reid <jim at rfc1035.com> wrote:
> > On 5 Sep 2016, at 15:47, Damian Menscher <damian at google.com> wrote:
> >
> > 1) Bypassing ANY is trivial for the attacker, as they can switch to TXT
> or any other record.
> Not quite. An attacker can of course easily switch from ANY queries to
> whatever qtype they choose. This probably won't produce as big a bang for
> their buck because the response payload for that qtype is unlikely to be as
> chunky as an ANY response. Or they might only get a NOHOST or NXDOMAIN if
> there’s no TXT (say) record for the qname.

You're forgetting that attackers can register domains too.  I once saw an
attack domain set up with ~100 A records, so they could perform
amplification with an A? query.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160905/9f27c875/attachment.html>

More information about the dns-operations mailing list