DNS Fuckery
2016.03.21
Cloudflare on how they’re mitigating reflection attacks. The tl;dr: optimized crypto (elliptic curve instead of RSA) for signing DNSSEC, refusing the ANY request and keeping responses with the constraints of a 512-byte UDP packet to mitigate amplification.
Detecting DNS Tunnelling via PacketBeat and Watcher and Elasticsearch
RandomDNS for randomizing use of DNSCrypt