nanog mailing list archives

Re: Open Resolver Problems

From: Nick Hilliard <nick () foobar org>
Date: Mon, 25 Mar 2013 16:51:44 +0000

On 25/03/2013 16:35, Alain Hebert wrote:

    That might be just me, but I find those peers allowing their
customers to spoof source IP addresses more at fault.


that is equally stupid and bad.

    PS: Some form of adaptive rate limitation works for it btw =D


no, it doesn't.  In order to ensure that your resolver clients are serviced
properly, you need to keep the DNS query rate high enough that if someone
has a large bcp38-enabled botnet, they can trash the hell out of whoever
they want.

The best solution is to disable open recursion completely, and police your
clients regularly.

Nick

Current thread:

Re: Open Resolver Problems, (continued)
- - - Re: Open Resolver Problems Leo Bicknell (Mar 26)
    - Re: Open Resolver Problems Scott Noel-Hemming (Mar 29)
    - Re: Open Resolver Problems Mattias Ahnberg (Mar 25)
    - Re: Open Resolver Problems Jared Mauch (Mar 25)
    - Re: Open Resolver Problems Nick Hilliard (Mar 25)
    - Re: Open Resolver Problems Alain Hebert (Mar 25)
    - Re: Open Resolver Problems Joe Abley (Mar 25)
    - Re: Open Resolver Problems Måns Nilsson (Mar 25)
    - Re: Open Resolver Problems Joe Abley (Mar 25)
    - Re: Open Resolver Problems Mikael Abrahamsson (Mar 25)
    - Re: Open Resolver Problems Nick Hilliard (Mar 25)
    - Re: Open Resolver Problems Alain Hebert (Mar 25)
    - Re: Open Resolver Problems William Herrin (Mar 25)
    - Re: Open Resolver Problems Nick Hilliard (Mar 25)
    - Re: Open Resolver Problems William Herrin (Mar 25)
    - Re: Open Resolver Problems Jay Ashworth (Mar 26)
    - Re: Open Resolver Problems Mikael Abrahamsson (Mar 26)
    - Re: Open Resolver Problems Jared Mauch (Mar 25)
    - Re: Open Resolver Problems Jon Lewis (Mar 26)
    - Re: Open Resolver Problems Jared Mauch (Mar 26)
- Re: Open Resolver Problems Harry Hoffman (Mar 25)

(Thread continues...)