Simple DNS Plus v. 5.2 build 123 released

Wednesday, 19 June 2013

Simple DNS Plus v. 5.2 build 123 is now available at

Over the past few days we have received a lot of user requests to add a feature in Simple DNS Plus to respond to UDP 'ANY' request with an empty response with the TC (truncated) flag set.
This is one way to deal with a specific variant of DNS amplification attacks which are currently rampant.

The idea appears to originate from a recent unofficial patch for BIND (another DNS servers) which has gotten some media coverage.
And this is a good idea since it minimizes the size of the response packet sent to attack victims, and DNS clients/resolvers making legitimate UDP 'ANY' requests will simply retry the request over TCP (as per the TC flag). It also makes your DNS server less interesting as a way point for these attacks since it no longer amplifies these types of requests - it only reflects them.
It is of course not as effective as simply ignoring all UDP 'ANY' requests - which may also be a viable solution since the only commonly known applications to use UDP 'ANY' requests are rather old versions of QMail.

So in this new build, we have now added this feature - along with another choice to ignore UDP 'ANY' requests completely, as well as the same choices for <root> requests (another common variant of DNS amplification attacks), and options to log / not log each type of request:

There are no other updates or fixes included in this build.

This is NOT a critical update, and you only need to update if you want / need the new feature / options mentioned above.

Be the first to comment on this page:
(Never published. Used for replies and to show your Gravatar icon. Never used for any other purpose.)