Hi Ralf, Thanks for the feedback. I am copying the author so he is aware of your comment. Kind regards, Mirjam On 28/6/16 12:41, Ralf Weber wrote:
Moin!
On 28 Jun 2016, at 12:26, Mirjam Kuehne wrote:
Dear colleagues,
Ramtin Kiaei shows how to mitigate DNS attacks by implementing a stateless firewall filter at the aggregation or edge router. Please find his article on RIPE Labs:
IMHO this is full of bad ideas and against protocol specs. While I agree that at these day and age one must defend against attacks on DNS systems, just blindly dropping on packet size or fragments is a very bad idea. Forwarding to 8.8.8.8 also is, although I know people who disagree with me on that.
If you deploy this approach I'm pretty sure down the road you will spend endless ours trying to debug why something does not work and then find out that it's the filter on packet size you totally forgotten about.
So long -Ralf