[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

sthaug at nethelp.no sthaug at nethelp.no
Tue Sep 6 11:13:59 UTC 2016

> one ethics canary is "how would the world be if everyone did what i'm 
> considering doing?" and in this case the attackers would switch to some 
> other qtype than ANY, and continue as before. this would make it harder 
> to detect, and surreptitiously backtrack, these attacks, since they 
> would fade moreso into the background. a net loss for the defense.

I'm very willing to believe that some attackers switch. However, the
observed behavior from "my" name servers is that attackers continue
using ANY queries in a significant majority of the cases. Only once in
a while do we see attacks based on TXT or some other type of query.

Thus from my point of view, restricting ANY queries (for instance by
forcing truncation and switch to TCP) still seems like a net win.


Steinar Haug, AS2116

More information about the dns-operations mailing list