[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
Paul Vixie
paul at redbarn.org
Tue Sep 6 10:34:18 UTC 2016
Tony Finch wrote:
> Roland Dobbins<rdobbins at arbor.net> wrote:
>> Also, note that some attackers set up their own domains with large records
>> precisely in order to use them for reflection/amplification attacks.
>
> From my point of view, I see this as a win for minimal-any, ...
it is not.
> ... since it means
> the attackers aren't using my infrastructure for their evil purposes. More
> minimal-any makes attacks more difficult.
1:1 reflection still gives the benefit of path obfuscation, and many
on-path devices close to the victim will be packet header bottlenecked
rather than octet bottlenecked.
one ethics canary is "how would the world be if everyone did what i'm
considering doing?" and in this case the attackers would switch to some
other qtype than ANY, and continue as before. this would make it harder
to detect, and surreptitiously backtrack, these attacks, since they
would fade moreso into the background. a net loss for the defense.
--
P Vixie
More information about the dns-operations
mailing list