On 2012/06/11, at 13:57, Thomas Dupas wrote: > Well, partly from what I see. > Posts from yesterday already mentioned that many sources are not spoofed for > the actual query the nameserver sees. > If I look at our logs I see that most of the any queries come from > north-america, not china. They use spoofed source ip's to reach the cpe, but > the cpe queries towards the nameserver aren't spoofed. > Forcing any queries to tcp won't change that.
The vast majority of DoS-scale ANY queries we (Afilias) see are spoofed, generating attacks against a third party. On 2012/06/11, at 13:46, Olafur Gudmundsson wrote: > how about much simpler configuration option to force all > any queries to be reissued over TCP, > restrict-any-udp "yes/no"; Because that only solves the problem of ANY queries. If they were forced over TCP, then the next easiest attack vector is spoofed DNSKEY queries. (source,query,answer) tuple rate limiting handles the entire attack method, not just a single qtype. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs