- Simple DNS Plus
- What's New
- News story
Simple DNS Plus v. 5.2 build 123 released
Wednesday, 19 June 2013
Simple DNS Plus v. 5.2 build 123 is now available at http://simpledns.com/download
Over the past few days we have received a lot of user requests to add a feature in Simple DNS Plus to respond to UDP 'ANY' request with an empty response with the TC (truncated) flag set.
This is one way to deal with a specific variant of DNS amplification attacks which are currently rampant.
The idea appears to originate from a recent unofficial patch for BIND (another DNS servers) which has gotten some media coverage.
And this is a good idea since it minimizes the size of the response packet sent to attack victims, and DNS clients/resolvers making legitimate UDP 'ANY' requests will simply retry the request over TCP (as per the TC flag). It also makes your DNS server less interesting as a way point for these attacks since it no longer amplifies these types of requests - it only reflects them.
It is of course not as effective as simply ignoring all UDP 'ANY' requests - which may also be a viable solution since the only commonly known applications to use UDP 'ANY' requests are rather old versions of QMail.
So in this new build, we have now added this feature - along with another choice to ignore UDP 'ANY' requests completely, as well as the same choices for <root> requests (another common variant of DNS amplification attacks), and options to log / not log each type of request:
There are no other updates or fixes included in this build.
This is NOT a critical update, and you only need to update if you want / need the new feature / options mentioned above.