[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
Paul Vixie
paul at redbarn.org
Wed Sep 7 01:51:15 UTC 2016
sthaug at nethelp.no wrote:
>>> I'm very willing to believe that some attackers switch. However, the
>>> observed behavior from "my" name servers is that attackers continue
>>> using ANY queries in a significant majority of the cases. Only once in
>>> a while do we see attacks based on TXT or some other type of query.
>>>
>>> Thus from my point of view, restricting ANY queries (for instance by
>>> forcing truncation and switch to TCP) still seems like a net win.
>> you are not playing this game to win. think economics. think area under
>> the curve.
>>
>>> YMMV.
>> no. we will, together, live in the world that blocking ANY will create.
>
> I'm afraid we'll have to agree to disagree then.
huh. i'm saying my mileage won't vary; we will share fate. or did you
mean "you're not playing this game to win"? in which case, see below.
> ... I still haven't seen a good argument for why I should turn off
> "any-to-tcp=yes".
because it is security theatre, gives you a false sense of having done
something to defend yourself, and encourages others to do likewise. it's
as though "something has got to be done" and fiddling with ANY
signalling is "something" so you're doing it, with no thought of the
larger engineering economics debacle this small move is part of.
do you remember when spammers did not have easy and cheap access to
large numbers of throwaway domain names? they used to put dotted quads
into their message bodies. along came spamassassin, treating dotted
quads in message bodies as spam-sign. now, spammers can get all the
cheap throwaway domains they will ever need, and spam is harder to
detect. in this way we did nothing but drive our own costs up and
improve the educations and capabilities of spammers everywhere. i would
like the security industry to please stop behaving this way. just
because "something has got to be done" does not equivocate all values of
"something". some things should NOT be done.
--
P Vixie
More information about the dns-operations
mailing list