Hi Ralf, Thanks for the feedback. I am copying the author so he is aware of your comment.
Kind regards, Mirjam On 28/6/16 12:41, Ralf Weber wrote: > Moin! > > > On 28 Jun 2016, at 12:26, Mirjam Kuehne wrote: > >> Dear colleagues, >> >> Ramtin Kiaei shows how to mitigate DNS attacks by implementing a >> stateless firewall filter at the aggregation or edge router. >> Please find his article on RIPE Labs: >> >> https://labs.ripe.net/Members/ramtin_kiaei/securing-network-infrastructure-for-dns-servers?pk_campaign=labs&pk_kwd=list-dnswg >> > IMHO this is full of bad ideas and against protocol specs. While I agree > that at these day and age one must defend against attacks on DNS > systems, just blindly dropping on packet size or fragments is a very > bad idea. Forwarding to 8.8.8.8 also is, although I know people who > disagree with me on that. > > If you deploy this approach I'm pretty sure down the road you will spend > endless ours trying to debug why something does not work and then find > out that it's the filter on packet size you totally forgotten about. > > So long > -Ralf >
