[prev in list] [next in list] [prev in thread] [next in thread]
List: dns-operations
Subject: [dns-operations] Restrict ANY query to TCP ? Re: Why would an MTA issue an ANY query instead of an M
From: matt () conundrum ! com (Matthew Pounsett)
Date: 2012-06-11 19:12:35
Message-ID: 21EC7CC3-BE9B-4067-BFA1-69A5C21E991A () conundrum ! com
[Download RAW message or body]
On 2012/06/11, at 13:57, Thomas Dupas wrote:
> Well, partly from what I see.
> Posts from yesterday already mentioned that many sources are not spoofed for the \
> actual query the nameserver sees. If I look at our logs I see that most of the any \
> queries come from north-america, not china. They use spoofed source ip's to reach \
> the cpe, but the cpe queries towards the nameserver aren't spoofed. Forcing any \
> queries to tcp won't change that.
The vast majority of DoS-scale ANY queries we (Afilias) see are spoofed, generating \
attacks against a third party.
On 2012/06/11, at 13:46, Olafur Gudmundsson wrote:
> how about much simpler configuration option to force all
> any queries to be reissued over TCP,
> restrict-any-udp "yes/no";
Because that only solves the problem of ANY queries. If they were forced over TCP, \
then the next easiest attack vector is spoofed DNSKEY queries. \
(source,query,answer) tuple rate limiting handles the entire attack method, not just \
a single qtype.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic