<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Mar 6, 2015, at 10:54 AM, Anthony Eden <<a href="mailto:anthony.eden@dnsimple.com" class="">anthony.eden@dnsimple.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Olafur,<div class=""><br class=""></div><div class="">Out of curiosity, have you considered forcing ANY queries over to TCP in all cases as a starting point to see what impact it has, if any?</div><div class=""><br class=""></div><div class="">Sincerely,</div><div class="">Anthony Eden</div></div><div class="gmail_extra"><br class=""></div></div></blockquote><div>Yes we have been doing that for the last few months.<div class="">That does help a lot but still allows attackers to fill Recursive Resolvers with large answers to replay. </div><div class="">For us the main advantage of doing NOTIMP is code simplicity we can generate the return packet without hitting the actual DNS server. </div><div class="">Another thought we had was to “poison” resolvers with bogus long lived record like </div><div class="">        <qname> 1W HINFO “Stop sending” “ANY query” </div><div class=""><br class=""></div><div class="">   Olafur</div><div class=""><br class=""></div></div><br class=""><blockquote type="cite" class=""><div class=""><div class="gmail_extra"><div class="gmail_quote">On Fri, Mar 6, 2015 at 4:48 PM, Casey Deccio <span dir="ltr" class=""><<a href="mailto:casey@deccio.net" target="_blank" class="">casey@deccio.net</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class=""><div class=""><div class="h5">On Fri, Mar 6, 2015 at 10:05 AM, Olafur Gudmundsson <span dir="ltr" class=""><<a href="mailto:ogud@ogud.com" target="_blank" class="">ogud@ogud.com</a>></span> wrote:<br class=""></div></div><div class="gmail_extra"><div class="gmail_quote"><div class=""><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class=""><div class=""><br class=""></div><div class="">We will be depreciating support for ANY queries and return NOTIMP in the near future </div><div class=""><a href="https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/" target="_blank" class="">https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/</a></div><div class=""><br class=""></div><div class="">ID proposing this behavior will be forthcoming </div><span class=""><font color="#888888" class=""><div class=""><br class=""></div></font></span></div></blockquote><div class=""><br class=""></div></div></div><div class="">Be prepared...  Less than two years ago a prominent DNS service began denying ANY queries for a previous employer's domain, and some (important) emails were not delivered.  Historical measurements will help quantify potential issues, but certainly those are not comprehensive, and like anything, there will be breakage.<br class=""><br class=""></div><div class="">I'm not suggesting it's not the right direction, but the change seems somewhat abrupt, and might result in some undesirable near-term effects.  Community support and publicity could help mitigate issues.<br class=""></div><div class=""><br class=""></div></div></div></div></blockquote></div></div></div></blockquote><div class=""><br class=""></div><blockquote type="cite" class=""><div class=""><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class=""><div class="gmail_extra"><div class="gmail_quote"><div class="">Best regards,<br class=""></div><div class="">Casey</div></div></div></div>
<br class="">_______________________________________________<br class="">
dns-operations mailing list<br class="">
<a href="mailto:dns-operations@lists.dns-oarc.net" class="">dns-operations@lists.dns-oarc.net</a><br class="">
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jobs" target="_blank" class="">https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br class="">
dns-jobs</a> mailing list<br class="">
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target="_blank" class="">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br class=""></blockquote></div><br class=""><br clear="all" class=""><div class=""><br class=""></div>-- <br class=""><div class="gmail_signature"><a href="http://DNSimple.com" class="">DNSimple.com</a><br class=""><a href="http://dnsimple.com/" class="">http://dnsimple.com/</a><br class="">Twitter: @dnsimple</div>
</div>
</div></blockquote></div><br class=""></div></div></body></html>