On Tue, 7 Jul 2020, Tony Finch wrote:
Brett Delmage wrote:
On Tue, 7 Jul 2020, Tony Finch wrote:
minimal-any yes;
Why only reduce and not eliminate?
The reason is a bit subtle. If an ANY query comes via a recursive
resolver, it is much better to give the resolver an answer so tha
Brett Delmage wrote:
> On Tue, 7 Jul 2020, Tony Finch wrote:
> >
> > minimal-any yes;
>
> Why only reduce and not eliminate?
The reason is a bit subtle. If an ANY query comes via a recursive
resolver, it is much better to give the resolver an answer so that it will
put an entry in its cache.
On 07 Jul 2020, at 12:06, Michael De Roover wrote:
> On 7/7/20 4:06 PM, Tony Finch wrote:
>
>> max-udp-size 1420;
>> https://dnsflagday.net/2020/
> Interesting, I wasn't aware of this campaign. I don't know if I'm
> knowledgeable enough on UDP to be able to make educated decisions on
On Tue, 7 Jul 2020, Shumon Huque wrote:
Cloudflare themselves now implement the "minimal any" behavior described
in this spec:
https://tools.ietf.org/html/rfc8482
cloudflare.com. 3789 IN HINFO "RFC8482" ""
Gee, that's a pretty minimal answer! Thanks.__
On Tue, Jul 7, 2020 at 2:21 PM Brett Delmage wrote:
> On Tue, 7 Jul 2020, Tony Finch wrote:
>
> > Reduce the size of responses to ANY queries, which are a favourite tool
> of
> > amplification attacks. There's basically no downside to this one, in my
> > opinion, but I'm biased because I implemen
On Tue, 7 Jul 2020, Tony Finch wrote:
Reduce the size of responses to ANY queries, which are a favourite tool of
amplification attacks. There's basically no downside to this one, in my
opinion, but I'm biased because I implemented it.
minimal-any yes;
Why only reduce and not eliminate
On 7/7/20 4:06 PM, Tony Finch wrote:
An auth-only server can also be used for amplification attacks that use
its authoritative zones - these attacks don't have to use recursion.
There are a few ways to mitigate auth-only amplification attacks.
Response rate limiting is very effective. Start off
@lbutlr wrote:
>
> > rate-limit { responses-per-second 10; };
>
> Does that apply to local queries as well (for example, a mail server may
> easily make a whole lot of queries to 127.0.0.1, and rate limiting it
> would at the very least affect logging and could delay mail if the MTA
> cannot v
On 07 Jul 2020, at 08:06, Tony Finch wrote:
Excellent post, and a nice summary of some best practices.
I have a couple of questions.
> Response rate limiting is very effective. Start off by putting the
> following in your options{} section, and look in the BIND ARM for other
> directives you ca
Michael De Roover wrote:
>
> Said friend said to me that he tested my authoritative name servers and
> found them to be not vulnerable. [snip] They do not respond to recursive
> queries. It appears that the test of whether a server is "vulnerable" or
> not has to do with this. The command used to
On Tue, Jul 07, 2020 at 03:00:13PM +0200,
Michael De Roover wrote
a message of 46 lines which said:
> The command used to test this was apparently "dig +short
> test.openresolver.com TXT @your.name.server".
ANY instead of TXT may be more efficient (specially with +dnssec), if
the goal is to g
11 matches
Mail list logo
