Moin!
On 28 Jun 2016, at 12:26, Mirjam Kuehne wrote:
Dear colleagues,
Ramtin Kiaei shows how to mitigate DNS attacks by implementing a
stateless firewall filter at the aggregation or edge router.
Please find his article on RIPE Labs:
https://labs.ripe.net/Members/ramtin_kiaei/securing-network-infrastructure-for-dns-servers?pk_campaign=labs&pk_kwd=list-dnswg
IMHO this is full of bad ideas and against protocol specs. While I agree
that at these day and age one must defend against attacks on DNS
systems, just blindly dropping on packet size or fragments is a very
bad idea. Forwarding to 8.8.8.8 also is, although I know people who
disagree with me on that.
If you deploy this approach I'm pretty sure down the road you will spend
endless ours trying to debug why something does not work and then find
out that it's the filter on packet size you totally forgotten about.
So long
-Ralf
