On 9November2014Sunday, at 11:40, Doug Barton <do...@dougbarton.us> wrote:
> On 11/8/14 6:33 PM, Roland Dobbins wrote: >> this is incorrect and harmful, and should be removed: >> >> iii. Consider dropping any DNS reply packets which are larger >> than 512 Bytes – these are commonly found in DNS DoS Amplification attacks. >> >> This *breaks the Internet*. Don't do it. > > +1 actually, if you think this will help you, by all means drop any DNS packets which are gt. 512bytes, not UDP, and not IPv4. /bill