DNS Fuckery


Cloudflare on how they’re mitigating reflection attacks. The tl;dr: optimized crypto (elliptic curve instead of RSA) for signing DNSSEC, refusing the ANY request and keeping responses with the constraints of a 512-byte UDP packet to mitigate amplification.

Detecting DNS Tunnelling via PacketBeat and Watcher and Elasticsearch

RandomDNS for randomizing use of DNSCrypt