Dear colleagues,
Ramtin Kiaei shows how to mitigate DNS attacks by implementing a stateless firewall filter at the aggregation or edge router. Please find his article on RIPE Labs:
https://labs.ripe.net/Members/ramtin_kiaei/securing-network-infrastructure-for-dns-servers?pk_campaign=labs&pk_kwd=list-dnswg IMHO this is full of bad ideas and against protocol specs. While I agree
Moin! On 28 Jun 2016, at 12:26, Mirjam Kuehne wrote: that at these day and age one must defend against attacks on DNS systems, just blindly dropping on packet size or fragments is a very bad idea. Forwarding to 8.8.8.8 also is, although I know people who disagree with me on that. If you deploy this approach I'm pretty sure down the road you will spend endless ours trying to debug why something does not work and then find out that it's the filter on packet size you totally forgotten about. So long -Ralf