[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Paul Vixie paul at redbarn.org
Tue Sep 6 10:34:18 UTC 2016

Tony Finch wrote:
> Roland Dobbins<rdobbins at arbor.net>  wrote:
>> Also, note that some attackers set up their own domains with large records
>> precisely in order to use them for reflection/amplification attacks.
>  From my point of view, I see this as a win for minimal-any, ...

it is not.

> ... since it means
> the attackers aren't using my infrastructure for their evil purposes. More
> minimal-any makes attacks more difficult.

1:1 reflection still gives the benefit of path obfuscation, and many 
on-path devices close to the victim will be packet header bottlenecked 
rather than octet bottlenecked.

one ethics canary is "how would the world be if everyone did what i'm 
considering doing?" and in this case the attackers would switch to some 
other qtype than ANY, and continue as before. this would make it harder 
to detect, and surreptitiously backtrack, these attacks, since they 
would fade moreso into the background. a net loss for the defense.

P Vixie

More information about the dns-operations mailing list