[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"
Tony Finch
dot at dotat.at
Wed Sep 7 15:54:58 UTC 2016
Jared Mauch <jared at puck.nether.net> wrote:
> I’d be interested in seeing software provide a more granular option than
> any-to-tcp so we can do it based on response size, eg: (if over 128
> bytes, send TC=1).
BIND 9.11 can do that, though it applies to every qtype:
nocookie-udp-size
Sets the maximum size of UDP responses that will be sent to queries
without a valid server COOKIE. A value below 128 will be silently
raised to 128. The default value is 4096, but the max-udp-size option
may further limit the response size.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Fitzroy: Westerly or southwesterly 5 to 7, occasionally gale 8 at first in
northwest. Very rough or high at first in northwest, otherwise moderate or
rough. Showers. Good.
More information about the dns-operations
mailing list