[dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers

Hi Ralf,

Thanks for the feedback. I am copying the author so he is aware of your
comment.

Kind regards,
Mirjam


On 28/6/16 12:41, Ralf Weber wrote:
> Moin!
> 
> 
> On 28 Jun 2016, at 12:26, Mirjam Kuehne wrote:
> 
>> Dear colleagues,
>>
>> Ramtin Kiaei shows how to mitigate DNS attacks by implementing a
>> stateless firewall filter at the aggregation or edge router.
>> Please find his article on RIPE Labs:
>>
>> https://labs.ripe.net/Members/ramtin_kiaei/securing-network-infrastructure-for-dns-servers?pk_campaign=labs&pk_kwd=list-dnswg
>>
> IMHO this is full of bad ideas and against protocol specs. While I agree
> that at these day and age one must defend against attacks on DNS
> systems, just blindly dropping on packet size  or fragments is a very
> bad idea. Forwarding to 8.8.8.8 also is, although I know people who
> disagree with me on that.
> 
> If you deploy this approach I'm pretty sure down the road you will spend
> endless ours trying to debug why something does not work and then find
> out that it's the filter on packet size you totally forgotten about.
> 
> So long
> -Ralf
>