On Tue, 17 Mar 2015, Yunhong Gu wrote:
The reason that this response can be used for an amplification attack is its size, not the ANY type. A responses with 200 A records can be used for the same purpose. The (even deeper) root cause is the use of UDP in DNS protocol. I just do not think banning ANY touches any of these fundamental issues.
Right, so require tcp or eastlake cookies, or allow padding the ANY request so the request/response ratio is close to 1 before allowing the answer. Make the dig command default to tcp. That should cover the vast majority of valid ANY queries. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
