> On Mar 6, 2015, at 10:54 AM, Anthony Eden <[email protected]> wrote: > > Olafur, > > Out of curiosity, have you considered forcing ANY queries over to TCP in all > cases as a starting point to see what impact it has, if any? > > Sincerely, > Anthony Eden > Yes we have been doing that for the last few months. That does help a lot but still allows attackers to fill Recursive Resolvers with large answers to replay. For us the main advantage of doing NOTIMP is code simplicity we can generate the return packet without hitting the actual DNS server. Another thought we had was to “poison” resolvers with bogus long lived record like <qname> 1W HINFO “Stop sending” “ANY query”
Olafur > On Fri, Mar 6, 2015 at 4:48 PM, Casey Deccio <[email protected] > <mailto:[email protected]>> wrote: > On Fri, Mar 6, 2015 at 10:05 AM, Olafur Gudmundsson <[email protected] > <mailto:[email protected]>> wrote: > > We will be depreciating support for ANY queries and return NOTIMP in the near > future > https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/ > <https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/> > > ID proposing this behavior will be forthcoming > > > Be prepared... Less than two years ago a prominent DNS service began denying > ANY queries for a previous employer's domain, and some (important) emails > were not delivered. Historical measurements will help quantify potential > issues, but certainly those are not comprehensive, and like anything, there > will be breakage. > > I'm not suggesting it's not the right direction, but the change seems > somewhat abrupt, and might result in some undesirable near-term effects. > Community support and publicity could help mitigate issues. > > Best regards, > Casey > > _______________________________________________ > dns-operations mailing list > [email protected] <mailto:[email protected]> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs <https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jobs> > mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > <https://lists.dns-oarc.net/mailman/listinfo/dns-jobs> > > > > -- > DNSimple.com > http://dnsimple.com/ <http://dnsimple.com/> > Twitter: @dnsimple
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
