--snip--
defending against DNS is almost equally trivial ....
- 53/udp is used for dns queries ...
...except when it's not. TCP is an accepted transport for DNS queries and necessary for response sizes > 512 bytes where EDNS is not in use / available.
- 53/tcp is used for zone transfers between primary and secondary DNS
servers
thus, all incoming tcp packets to a DNS server are DDoS attacks
except your own primary and secondary dns server ip#
As per above, that's not entirely accurate, though you're welcome to cause some FPs by dropping legitimate DNS queries over TCP. Granted on our own recursive resolvers the percentage of TCP queries is vanishingly small to non-existent, but "all" is not correct.
- we're all assuming your DNS server is closed for recursive queries
to prevent DNS amplification attacks ...
...for different degrees of "closed". I'm assuming $dayjob for at least *some* of the folks on this list entails a service provider network of some sort, where it'd be pretty likely there are some recursive resolvers available to their customers. DNS amplification queries sourced from (or spoofed as) within customer ranges and able to reach the resolvers are still a vector.
-- Hugo
signature.asc
Description: Digital signature
