any requests
Vernon Schryver
vjs at rhyolite.com
Sun Jun 2 22:13:33 UTC 2013
> From: Matus UHLAR - fantomas <uhlar at fantomas.sk>
> On 02.06.13 20:28, hugo hugoo wrote:
> >I plan to block these kind of requests on the dns cache servers in order to
> > avoid any amplification attack.
> hard to say, but as I stated before: don't do that.
Instead, use RRL to mitigate many kinds of amplification attacks instead
of only those using ANY. See http://www.redbarn.org/dns/ratelimits
Blocking DNS ANY requests is to DNS amplification DoS mitigation as
blocking SMTP envelope Mail_From values of <> is to spam filtering.
In early spam days, people who either knew far less than they pretended
or had special agendas prescribed blocking the <> sender as almost the
FUSSP, and never mind RFCs that require accepting mail from <>, the
value of mail from <>, and the vast floods of spam that don't and
never did involve the <> sender.
Blocking DNS ANY or SMTP <> fit the old saying by H. L. Mencken:
For every complex problem there is an answer that is clear,
simple, and wrong.
Vernon Schryver vjs at rhyolite.com
More information about the bind-users
mailing list