[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"

Jared Mauch jared at puck.nether.net
Wed Sep 7 13:00:06 UTC 2016

> On Sep 7, 2016, at 8:31 AM, Roland Dobbins <rdobbins at arbor.net> wrote:
> Can confirm - ANY and lots of TXT responses are a very strong, useful signal when it comes to sorting the wheat from the chaff on the reflector/amplifier ---> target leg of DNS reflection/amplification attacks.

I’d be interested in seeing software provide a more granular option than any-to-tcp so we can do it based on response size, eg: (if over 128 bytes, send TC=1).

lots of CPE or embedded dnsmasq stuff doesn’t handle TC facing stub well.

- Jared

More information about the dns-operations mailing list