Radke, Justin jra...@canbytel.com wrote:
2. Do you have an actual localhost zone that issues 127.0.0.1?
Yes. I think this is best practice though it isn't required by RFC 6303
and isn't set up by default in BIND like the empty reverse DNS zones.
3. Do you block 512 Bytes DNS requests?
512
This past weekend we started receiving bursts of lookups on our DNS server
for localhost. We blocked our subscriber abusing this lookup (most
assuredly malware and not intentional) but curious what safeguards you put
in place for DOS attacks on your DNS servers.
1. As an ISP do you see a problem
On 11/17/2014 01:11 PM, Radke, Justin wrote:
This past weekend we started receiving bursts of lookups on our DNS server
for localhost. We blocked our subscriber abusing this lookup (most
assuredly malware and not intentional) but curious what safeguards you put
in place for DOS attacks on your
4. Do you block non-UDP DNS requests or rate-limit requests?
Yes
Why? RFC5966 DNS Transport over TCP - Implementation Requirements
You make it very hard for DNSSEC
5. Anything else you block/filter on your DNS servers?
block fragmented packets
Why? You then block EDNS0, which DNSSEC
3. Do you block 512 Bytes DNS requests?
How many 512 byte DNS requests are people seeing?
Perhaps the requester meant 512 byte DNS responses?
Blocking 512 byte responses would be ... unfortunate.
4. Do you block non-UDP DNS requests or rate-limit requests?
Yes
I presume (hope) the yes
5 matches
Mail list logo
