nanog mailing list archives
Re: Open Resolver Problems
From: Nick Hilliard <nick () foobar org>
Date: Mon, 25 Mar 2013 16:51:44 +0000
On 25/03/2013 16:35, Alain Hebert wrote:
That might be just me, but I find those peers allowing their customers to spoof source IP addresses more at fault.
that is equally stupid and bad.
PS: Some form of adaptive rate limitation works for it btw =D
no, it doesn't. In order to ensure that your resolver clients are serviced properly, you need to keep the DNS query rate high enough that if someone has a large bcp38-enabled botnet, they can trash the hell out of whoever they want. The best solution is to disable open recursion completely, and police your clients regularly. Nick
Current thread:
- Re: Open Resolver Problems, (continued)
- Re: Open Resolver Problems Leo Bicknell (Mar 26)
- Re: Open Resolver Problems Scott Noel-Hemming (Mar 29)
- Re: Open Resolver Problems Mattias Ahnberg (Mar 25)
- Re: Open Resolver Problems Jared Mauch (Mar 25)
- Re: Open Resolver Problems Nick Hilliard (Mar 25)
- Re: Open Resolver Problems Alain Hebert (Mar 25)
- Re: Open Resolver Problems Joe Abley (Mar 25)
- Re: Open Resolver Problems Måns Nilsson (Mar 25)
- Re: Open Resolver Problems Joe Abley (Mar 25)
- Re: Open Resolver Problems Mikael Abrahamsson (Mar 25)
- Re: Open Resolver Problems Nick Hilliard (Mar 25)
- Re: Open Resolver Problems Alain Hebert (Mar 25)
- Re: Open Resolver Problems William Herrin (Mar 25)
- Re: Open Resolver Problems Nick Hilliard (Mar 25)
- Re: Open Resolver Problems William Herrin (Mar 25)
- Re: Open Resolver Problems Jay Ashworth (Mar 26)
- Re: Open Resolver Problems Mikael Abrahamsson (Mar 26)
- Re: Open Resolver Problems Jared Mauch (Mar 25)
- Re: Open Resolver Problems Jon Lewis (Mar 26)
- Re: Open Resolver Problems Jared Mauch (Mar 26)