[88944] in North American Network Operators' Group
Re: DNS deluge for x.p.ctrc.cc
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sat Feb 25 09:07:57 2006
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Rob Thomas <robt@cymru.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: (Your message of "Fri, 24 Feb 2006 16:33:08 CST.")
<Pine.GSO.4.62.0602241629470.21514@qentba.nf23028.arg>
Date: Sat, 25 Feb 2006 06:00:17 -0800
Errors-To: owner-nanog@merit.edu
In message <Pine.GSO.4.62.0602241629470.21514@qentba.nf23028.arg>, Rob Thomas w
rites:
>
>Limit UDP queries to 512 bytes. This greatly decreases the
>amplification affect, though it doesn't stop it.
>
Unfortunately, the intention of the DNS developers is just the
opposite. Things like DNSSEC require larger packet sizes; in fact,
there's a DNS extension (EDNS0) whose purpose, among others, it to
permit this.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb