Shane Kerr wrote: > > > In the case where people just want to reduce the damage of ANY queries > in reflection attacks, I quite like the PowerDNS option of forcing ANY > queries to TCP via truncation. I'm not sure if this has been documented > in any RFC, but if not then perhaps it bears mentioning too?
note that in a normal reflective ddos where a lot of ANY queries are being received, the above proposal results in a full TCP session table, thus denying TCP service to any non-attacker. this is not a serious problem since virtually anyone can launch a denial of service against TCP/53, without a distributed attack force. so, that problem already exists. if it's going to become a documented operational practice, then this risk should be documented also. -- Paul Vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop