Discuss mailing list

["Aaron J. Angel" <thatoneguy AT aaronjangel.us>]

On 04/03/2013 09:52 AM, Jeff Taylor wrote:
> I'm also not sure about the +E, but take a look at the tcpdump section

Recursion requested (+).  EDNS0 enabled (E); that is, large DNS messages.

> I'm starting to wonder if we should make it a policy to drop all ANY
> requests?  It seems that is the key factor behind all of these attacks,
> and other than the servers talking between themselves, I don't know of
> any use a client would have for such a query.

This doesn't resolve the problem, it just covers it up a portion of it. 
http://www.corecom.com/external/livesecurity/dnsamplification.htm

> On 04/02/2013 11:53 PM, kennytaylor AT runbox.com wrote:
> > I'm not entirely sure offhand what that query is asking for.

The query (. IN ANY) is requesting all records for the root zone. As you 
can imagine, that's a fairly hefty request to be made that often.  
Likely the result of the previous request (z.tn.co.za ANY ANY) being 
blocked by name servers claiming authority for z.tn.co.za, then serving 
no results.  (Apparently, that domain had a rather large TXT record.)