DNS security, amplification attacks and recursion
Shumon Huque
shuque at gmail.com
Tue Jul 7 18:31:26 UTC 2020
On Tue, Jul 7, 2020 at 2:21 PM Brett Delmage <Brett at brettdelmage.ca> wrote:
> On Tue, 7 Jul 2020, Tony Finch wrote:
>
> > Reduce the size of responses to ANY queries, which are a favourite tool
> of
> > amplification attacks. There's basically no downside to this one, in my
> > opinion, but I'm biased because I implemented it.
> >
> > minimal-any yes;
>
> Why only reduce and not eliminate?
>
> Can ANY responses be disabled completely with an option?
>
> This article at cloudflare
> https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/
> states that they have deprecated it because it wasn't being used. They
> should know! This was posted over 5 years ago, in 2015.
>
Cloudflare themselves now implement the "minimal any" behavior described
in this spec:
https://tools.ietf.org/html/rfc8482
Responding to ANY with NOTIMP, REFUSED, or unknown RCODEs, or not
responding at all results in undesirable follow-on behaviour from DNS
resolvers
(mostly aggressive retries).
Shumon.
---
$ dig @ns1.cloudflare.com. cloudflare.com. ANY
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54526
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cloudflare.com. IN ANY
;; ANSWER SECTION:
cloudflare.com. 3789 IN HINFO "RFC8482" ""
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200707/d494af75/attachment.htm>
More information about the bind-users
mailing list