[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dns-operations
Subject:    [dns-operations] Restrict ANY query to TCP ? Re: Why would an MTA issue an ANY query instead of an M
From:       matt () conundrum ! com (Matthew Pounsett)
Date:       2012-06-11 19:12:35
Message-ID: 21EC7CC3-BE9B-4067-BFA1-69A5C21E991A () conundrum ! com
[Download RAW message or body]


On 2012/06/11, at 13:57, Thomas Dupas wrote:

> Well, partly from what I see.
> Posts from yesterday already mentioned that many sources are not spoofed for the \
> actual query the nameserver sees. If I look at our logs I see that most of the any \
> queries come from north-america, not china. They use spoofed source ip's to reach \
> the cpe, but the cpe queries towards the nameserver aren't spoofed. Forcing any \
> queries to tcp won't change that.


The vast majority of DoS-scale ANY queries we (Afilias) see are spoofed, generating \
attacks against a third party.


On 2012/06/11, at 13:46, Olafur Gudmundsson wrote:

> how about much simpler configuration option to force all
> any queries to be reissued over TCP,
> 	restrict-any-udp  "yes/no";



Because that only solves the problem of ANY queries.  If they were forced over TCP, \
then the next easiest attack vector is spoofed DNSKEY queries.   \
(source,query,answer) tuple rate limiting handles the entire attack method, not just \
a single qtype.


[prev in list] [next in list] [prev in thread] [next in thread]