Attack Against DNS Root Servers
Has anyone been following the attack against the DNS root servers two weeks ago? Details.
I can’t precisely explain why, but this feels like someone testing an attack capability.
For defense: it’s long past time to implement source address validation in the DNS system.
Bill Stewart • December 15, 2015 1:07 AM
Would it make sense for the root DNS servers to only accept TCP queries instead of UDP? Almost all legitimate DNS queries should be going to recursive servers at ISPs or other services, many newer query responses don’t fit into 1500-byte packets anyway (especially if there’s an amplification attack), and that would reduce the viability of spoofed queries.