[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Paul Vixie paul at redbarn.org
Wed Sep 7 01:51:15 UTC 2016

sthaug at nethelp.no wrote:
>>> I'm very willing to believe that some attackers switch. However, the
>>> observed behavior from "my" name servers is that attackers continue
>>> using ANY queries in a significant majority of the cases. Only once in
>>> a while do we see attacks based on TXT or some other type of query.
>>> Thus from my point of view, restricting ANY queries (for instance by
>>> forcing truncation and switch to TCP) still seems like a net win.
>> you are not playing this game to win. think economics. think area under
>> the curve.
>>> YMMV.
>> no. we will, together, live in the world that blocking ANY will create.
> I'm afraid we'll have to agree to disagree then.

huh. i'm saying my mileage won't vary; we will share fate. or did you 
mean "you're not playing this game to win"? in which case, see below.

> ... I still haven't seen a good argument for why I should turn off
> "any-to-tcp=yes".

because it is security theatre, gives you a false sense of having done 
something to defend yourself, and encourages others to do likewise. it's 
as though "something has got to be done" and fiddling with ANY 
signalling is "something" so you're doing it, with no thought of the 
larger engineering economics debacle this small move is part of.

do you remember when spammers did not have easy and cheap access to 
large numbers of throwaway domain names? they used to put dotted quads 
into their message bodies. along came spamassassin, treating dotted 
quads in message bodies as spam-sign. now, spammers can get all the 
cheap throwaway domains they will ever need, and spam is harder to 
detect. in this way we did nothing but drive our own costs up and 
improve the educations and capabilities of spammers everywhere. i would 
like the security industry to please stop behaving this way. just 
because "something has got to be done" does not equivocate all values of 
"something". some things should NOT be done.

P Vixie

More information about the dns-operations mailing list