On Tue, 7 Jul 2020, Tony Finch wrote:
Brett Delmage wrote:
On Tue, 7 Jul 2020, Tony Finch wrote:
minimal-any yes;
Why only reduce and not eliminate?
The reason is a bit subtle. If an ANY query comes via a recursive
resolver, it is much better to give the resolver an answer so tha
Brett Delmage wrote:
> On Tue, 7 Jul 2020, Tony Finch wrote:
> >
> > minimal-any yes;
>
> Why only reduce and not eliminate?
The reason is a bit subtle. If an ANY query comes via a recursive
resolver, it is much better to give the resolver an answer so that it will
put an entry in its cache.
On 07 Jul 2020, at 12:06, Michael De Roover wrote:
> On 7/7/20 4:06 PM, Tony Finch wrote:
>
>> max-udp-size 1420;
>> https://dnsflagday.net/2020/
> Interesting, I wasn't aware of this campaign. I don't know if I'm
> knowledgeable enough on UDP to be able to make educated decisions on
On Tue, 7 Jul 2020, Shumon Huque wrote:
Cloudflare themselves now implement the "minimal any" behavior described
in this spec:
https://tools.ietf.org/html/rfc8482
cloudflare.com. 3789 IN HINFO "RFC8482" ""
Gee, that's a pretty minimal answer! Thanks.__
On Tue, Jul 7, 2020 at 2:21 PM Brett Delmage wrote:
> On Tue, 7 Jul 2020, Tony Finch wrote:
>
> > Reduce the size of responses to ANY queries, which are a favourite tool
> of
> > amplification attacks. There's basically no downside to this one, in my
> > opinion, but I'm biased because I implemen
On Tue, 7 Jul 2020, Tony Finch wrote:
Reduce the size of responses to ANY queries, which are a favourite tool of
amplification attacks. There's basically no downside to this one, in my
opinion, but I'm biased because I implemented it.
minimal-any yes;
Why only reduce and not eliminate
On 7/7/20 4:06 PM, Tony Finch wrote:
An auth-only server can also be used for amplification attacks that use
its authoritative zones - these attacks don't have to use recursion.
There are a few ways to mitigate auth-only amplification attacks.
Response rate limiting is very effective. Start off
@lbutlr wrote:
>
> > rate-limit { responses-per-second 10; };
>
> Does that apply to local queries as well (for example, a mail server may
> easily make a whole lot of queries to 127.0.0.1, and rate limiting it
> would at the very least affect logging and could delay mail if the MTA
> cannot v
On 07 Jul 2020, at 08:06, Tony Finch wrote:
Excellent post, and a nice summary of some best practices.
I have a couple of questions.
> Response rate limiting is very effective. Start off by putting the
> following in your options{} section, and look in the BIND ARM for other
> directives you ca
Michael De Roover wrote:
>
> Said friend said to me that he tested my authoritative name servers and
> found them to be not vulnerable. [snip] They do not respond to recursive
> queries. It appears that the test of whether a server is "vulnerable" or
> not has to do with this. The command used to
On Tue, Jul 07, 2020 at 03:00:13PM +0200,
Michael De Roover wrote
a message of 46 lines which said:
> The command used to test this was apparently "dig +short
> test.openresolver.com TXT @your.name.server".
ANY instead of TXT may be more efficient (specially with +dnssec), if
the goal is to g
Hello,
Recently I discussed with a friend of mine the idea of NTP and DNS in
the context of denial of service attacks. In NTP this amplification
attack is done with the monlist command (that should honestly never have
been publicly available due to its purpose being pretty much entirely
debug
12 matches
Mail list logo
