[dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
- Previous message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
- Next message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mirjam Kuehne
mir at ripe.net
Tue Jun 28 12:56:38 CEST 2016
Hi Ralf, Thanks for the feedback. I am copying the author so he is aware of your comment. Kind regards, Mirjam On 28/6/16 12:41, Ralf Weber wrote: > Moin! > > > On 28 Jun 2016, at 12:26, Mirjam Kuehne wrote: > >> Dear colleagues, >> >> Ramtin Kiaei shows how to mitigate DNS attacks by implementing a >> stateless firewall filter at the aggregation or edge router. >> Please find his article on RIPE Labs: >> >> https://labs.ripe.net/Members/ramtin_kiaei/securing-network-infrastructure-for-dns-servers?pk_campaign=labs&pk_kwd=list-dnswg >> > IMHO this is full of bad ideas and against protocol specs. While I agree > that at these day and age one must defend against attacks on DNS > systems, just blindly dropping on packet size or fragments is a very > bad idea. Forwarding to 8.8.8.8 also is, although I know people who > disagree with me on that. > > If you deploy this approach I'm pretty sure down the road you will spend > endless ours trying to debug why something does not work and then find > out that it's the filter on packet size you totally forgotten about. > > So long > -Ralf >
- Previous message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
- Next message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]