[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
sthaug at nethelp.no
sthaug at nethelp.no
Tue Sep 6 12:06:04 UTC 2016
> > I'm very willing to believe that some attackers switch. However, the
> > observed behavior from "my" name servers is that attackers continue
> > using ANY queries in a significant majority of the cases. Only once in
> > a while do we see attacks based on TXT or some other type of query.
> >
> > Thus from my point of view, restricting ANY queries (for instance by
> > forcing truncation and switch to TCP) still seems like a net win.
>
> you are not playing this game to win. think economics. think area under
> the curve.
>
> > YMMV.
>
> no. we will, together, live in the world that blocking ANY will create.
I'm afraid we'll have to agree to disagree then. I'm reasonably happy
with RRL on my authoritative servers and "any-to-tcp=yes" on recursive
servers. I still haven't seen a good argument for why I should turn off
"any-to-tcp=yes".
(No, I don't block ANY queries, in case anybody was wondering)
Steinar Haug, AS2116
More information about the dns-operations
mailing list