DNS security, amplification attacks and recursion
shuque at gmail.com
Tue Jul 7 18:31:26 UTC 2020
On Tue, Jul 7, 2020 at 2:21 PM Brett Delmage <Brett at brettdelmage.ca> wrote:
> On Tue, 7 Jul 2020, Tony Finch wrote:
> > Reduce the size of responses to ANY queries, which are a favourite tool
> > amplification attacks. There's basically no downside to this one, in my
> > opinion, but I'm biased because I implemented it.
> > minimal-any yes;
> Why only reduce and not eliminate?
> Can ANY responses be disabled completely with an option?
> This article at cloudflare
> states that they have deprecated it because it wasn't being used. They
> should know! This was posted over 5 years ago, in 2015.
Cloudflare themselves now implement the "minimal any" behavior described
in this spec:
Responding to ANY with NOTIMP, REFUSED, or unknown RCODEs, or not
responding at all results in undesirable follow-on behaviour from DNS
(mostly aggressive retries).
$ dig @ns1.cloudflare.com. cloudflare.com. ANY
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54526
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cloudflare.com. IN ANY
;; ANSWER SECTION:
cloudflare.com. 3789 IN HINFO "RFC8482" ""
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users