@cks

Scanning for publicly-reachable proxy DNS servers is old-hat. I've been warning people about such since the turn of the century, and #tinydns is never going to be vulnerable in that way.

The more interesting attack, not least because Bernstein got it right all along, is the people that send queries with huge EDNS0 buffer sizes, asking for ANY against fsf.org (which is nearly 5KiB of response) and direct the responses at the tram port of some victim's router.

#djbdns #djbwares

@cks

The first sentence of the new security chapter that I wrote last week for the Guide for #djbwares :

> Expect any Internet-facing DNS service to be attacked immediately that it is up and running.

It has certainly been my experience.

I looked up one of the attackers, and they actually claimed on a WWW page to be a shadowy organization that works for governments but cannot tell you about it.

#tinydns happily logs dropping all of the queries. (-:

#djbdns