This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
- Previous message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
- Next message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ralf Weber
dns at fl1ger.de
Tue Jun 28 12:41:51 CEST 2016
Moin! On 28 Jun 2016, at 12:26, Mirjam Kuehne wrote: > Dear colleagues, > > Ramtin Kiaei shows how to mitigate DNS attacks by implementing a > stateless firewall filter at the aggregation or edge router. > Please find his article on RIPE Labs: > > https://labs.ripe.net/Members/ramtin_kiaei/securing-network-infrastructure-for-dns-servers?pk_campaign=labs&pk_kwd=list-dnswg IMHO this is full of bad ideas and against protocol specs. While I agree that at these day and age one must defend against attacks on DNS systems, just blindly dropping on packet size or fragments is a very bad idea. Forwarding to 8.8.8.8 also is, although I know people who disagree with me on that. If you deploy this approach I'm pretty sure down the road you will spend endless ours trying to debug why something does not work and then find out that it's the filter on packet size you totally forgotten about. So long -Ralf
- Previous message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
- Next message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]