--- Begin Message ---
On Mon, 24 Feb 2025 10:07:20 +0100 Petr Špaček wrote:
I agree sl TLD has _very_ unusual configuration, but their servers don't
send ANY responses over UDP, so it should not be a problem by itself. I
would think the problem is someone else's servers which are willing to
send oversized UDP answers
Such servers do exist in the wild (but you would need a whole lot of
them to generate the amount of traffic this amplification attack
generated the last time I encountered it):
[IP address hidden - will provide it off-list if desired]
dig +ignore +notcp +multi +crypto +dnssec ANY sl @[hidden]
; <<>> DiG 9.20.0 <<>> +ignore +notcp +multi +crypto +dnssec ANY sl
@[hidden]
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39636
;; flags: qr tc rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;sl. IN ANY
;; ANSWER SECTION:
sl. 854 IN RRSIG NS 7 1 1800 (
20250209213757 20250110212200 55940 sl.
rMvFxnZz23sTZbBI0dgkc2aghlM5QI81mcW7bW0fNFQ7
B7t6dyhANW+KpnGl8pj+5zSTMlOxbohnPMY4sr+mL+zA
.
.
.
<snap>
.
.
.
;; Query time: 64 msec
;; SERVER: [hidden]#53([hidden]) (UDP)
;; WHEN: Wed Jan 22 13:35:48 CET 2025
;; MSG SIZE rcvd: 4081
--
Marco
OpenPGP_0xBB2857E82C0F54F3.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
