Maybe limit DNS queries with long answers to TCP. DNS servers speak both TCP and UDP. With a UDP query, the source address can be faked, which causes the results to be sent somewhere else. With TCP, the attacker can't make it through the TCP handshake with a fake source address, because the attacker isn't getting the replies.
"Consumer Product Safety Commission is behind...DDoS"
This sort of title suggests that intent is not important.
If we accept that as true, then we can make a few more observations.
DNSSEC is behind DDoS.
The large responses mandated by DNSSEC allow DNS to be used to DDoS.
People warned the DNSSEC proponents about this.
They ignored the warnings.
Because the intent of DNSSEC is something else besides DDoS. (What that something is could be a controversial topic in itself.)
If DNSSEC and its users are behind DDoS, then who is behind DNSSEC?
What are they trying to achieve, what is the problem they hope to solve with DNSSEC? Besides making DDoS easier.
A small group of people gets to ultimately decide what is and what is not a "valid" or "authentic" domain name?
Why would anyone need something like that?
"DNS experts" over the years have been increasingly willing to admit that it's reasonable to acknowledge that users could choose not to share a DNS cache with anyone else. They could run their own cache bound to the loopback.
When this happens, does the user still need DNSSEC?
5 comments
[ 1059 ms ] story [ 1390 ms ] thread=>
"How the Consumer Product Safety Commission's DNS Records Are Used in the Largest DDoS Attacks"
FTFY
This sort of title suggests that intent is not important.
If we accept that as true, then we can make a few more observations.
DNSSEC is behind DDoS.
The large responses mandated by DNSSEC allow DNS to be used to DDoS.
People warned the DNSSEC proponents about this.
They ignored the warnings.
Because the intent of DNSSEC is something else besides DDoS. (What that something is could be a controversial topic in itself.)
If DNSSEC and its users are behind DDoS, then who is behind DNSSEC?
What are they trying to achieve, what is the problem they hope to solve with DNSSEC? Besides making DDoS easier.
A small group of people gets to ultimately decide what is and what is not a "valid" or "authentic" domain name?
Why would anyone need something like that?
"DNS experts" over the years have been increasingly willing to admit that it's reasonable to acknowledge that users could choose not to share a DNS cache with anyone else. They could run their own cache bound to the loopback.
When this happens, does the user still need DNSSEC?