[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

sthaug at nethelp.no sthaug at nethelp.no
Tue Sep 6 12:06:04 UTC 2016

> > I'm very willing to believe that some attackers switch. However, the
> > observed behavior from "my" name servers is that attackers continue
> > using ANY queries in a significant majority of the cases. Only once in
> > a while do we see attacks based on TXT or some other type of query.
> >
> > Thus from my point of view, restricting ANY queries (for instance by
> > forcing truncation and switch to TCP) still seems like a net win.
> you are not playing this game to win. think economics. think area under 
> the curve.
> > YMMV.
> no. we will, together, live in the world that blocking ANY will create.

I'm afraid we'll have to agree to disagree then. I'm reasonably happy
with RRL on my authoritative servers and "any-to-tcp=yes" on recursive
servers. I still haven't seen a good argument for why I should turn off

(No, I don't block ANY queries, in case anybody was wondering)

Steinar Haug, AS2116

More information about the dns-operations mailing list