any requests

Vernon Schryver vjs at
Sun Jun 2 22:13:33 UTC 2013

> From: Matus UHLAR - fantomas <uhlar at>

> On 02.06.13 20:28, hugo hugoo wrote:

> >I plan to block these kind of requests on the dns cache servers in order to
> > avoid any amplification attack.

> hard to say, but as I stated before: don't do that.

Instead, use RRL to mitigate many kinds of amplification attacks instead
of only those using ANY.  See

Blocking DNS ANY requests is to DNS amplification DoS mitigation as
blocking SMTP envelope Mail_From values of <> is to spam filtering.
In early spam days, people who either knew far less than they pretended
or had special agendas prescribed blocking the <> sender as almost the
FUSSP, and never mind RFCs that require accepting mail from <>, the
value of mail from <>, and the vast floods of spam that don't and
never did involve the <> sender.

Blocking DNS ANY or SMTP <> fit the old saying by H. L. Mencken:
    For every complex problem there is an answer that is clear,
     simple, and wrong.

Vernon Schryver    vjs at

More information about the bind-users mailing list