On 1/23/19 8:44 PM, Mark Andrews wrote: > and they your firewalls don’t block well formed DNS queries (lots of > them do by default).
My edge routers block *all* inbound DNS requests -- I was being hit by a ton of them at one point. Cavaet: I don't run a DNS server that is a domain zone master -- I use a DNS service for that. I do have a DNS server inside, but only to handle recursive requests from inside my network. Outbound DNS requests? Lets them through, and responses too.