<html><body><div style="color:#000; background-color:#fff; font-family:tahoma, new york, times, serif;font-size:10pt">If your some of your clients are SMTP relays, then ANY is the default lookup for an MX and is perfectly normal.<br><br>Much better from the point of view of the mail servers to do one lookup instead of several.<br><br>Len<br><div><span><br></span></div><div><br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; margin-top: 5px; padding-left: 5px;"> <div style="font-family: tahoma, new york, times, serif; font-size: 10pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <hr size="1"> <font face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> hugo hugoo <hugobxl@hotmail.com><br> <b><span style="font-weight: bold;">To:</span></b> Vernon Schryver <vjs@rhyolite.com>; "bind-users@lists.isc.org" <bind-users@lists.isc.org>
<br> <b><span style="font-weight: bold;">Sent:</span></b> Monday, June 3, 2013 12:26 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> RE: any requests<br> </font> </div> <div class="y_msg_container"><br><div id="yiv9223195640">
<style><!--
#yiv9223195640 .yiv9223195640hmmessage P
{
margin:0px;padding:0px;}
#yiv9223195640 body.yiv9223195640hmmessage
{
font-size:12pt;font-family:Calibri;}
--></style>
<div><div dir="ltr">Hello,<br> <br>Thanks for your answer.<br>I see ANY queries from my clients (we do not use open resolvers)<br> <br>I do not see why these kind of queries are present.<br>Moreover, the cache servers only anbswer with its cache content.<br>Is this normal or must the cache query the authoritztive server to fetch all the records?<br> <br>Hugo,<br> <br><div>> Date: Sun, 2 Jun 2013 22:13:33 +0000<br>> From: vjs@rhyolite.com<br>> To: bind-users@lists.isc.org<br>> Subject: Re: any requests<br>> <br>> > From: Matus UHLAR - fantomas <uhlar@fantomas.sk><br>> <br>> > On 02.06.13 20:28, hugo hugoo wrote:<br>> <br>> > >I plan to block these kind of requests on the dns cache servers in order to<br>> > > avoid any amplification attack.<br>> <br>> > hard to say, but as I stated before: don't do that.<br>> <br>> Instead, use RRL to mitigate many
kinds of amplification attacks instead<br>> of only those using ANY. See http://www.redbarn.org/dns/ratelimits<br>> <br>> Blocking DNS ANY requests is to DNS amplification DoS mitigation as<br>> blocking SMTP envelope Mail_From values of <> is to spam filtering.<br>> In early spam days, people who either knew far less than they pretended<br>> or had special agendas prescribed blocking the <> sender as almost the<br>> FUSSP, and never mind RFCs that require accepting mail from <>, the<br>> value of mail from <>, and the vast floods of spam that don't and<br>> never did involve the <> sender.<br>> <br>> Blocking DNS ANY or SMTP <> fit the old saying by H. L. Mencken:<br>> For every complex problem there is an answer that is clear,<br>> simple, and wrong.<br>> <br>> <br>> Vernon Schryver vjs@rhyolite.com<br>>
_______________________________________________<br>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list<br>> <br>> bind-users mailing list<br>> bind-users@lists.isc.org<br>> https://lists.isc.org/mailman/listinfo/bind-users<br></div> </div></div>
</div><br>_______________________________________________<br>Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users </a>to unsubscribe from this list<br><br>bind-users mailing list<br><a ymailto="mailto:bind-users@lists.isc.org" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br><br></div> </div> </div> </blockquote></div> </div></body></html>