[dns-operations] DNS deluge for x.p.ctrc.cc

Paul Vixie vixie at vix.com
Sun Feb 26 16:14:50 UTC 2006


someone over on nanog said...

> > ..., please be aware that if you leave your name servers open to
> > recursive query requests from any source, you WILL unwittingly help to
> > amplify these attacks.

to which randy bush (who i know is subscribed to dns-operations@, thus my
willingness to move this thread here) replied:

> and there is discussion on treating this similarly to how open smtp
> relays are treated today.

indeed, i have heard such talk, and OARC might shortly become involved in 
creating a BGP feed that covers tested-to-be-recursive recently-abused
nameservers.  what's less than clear to me is whether any root or tld
nameserver operator will be interested in it.  the tradeoff is between
"being reachable to all" and "being reachable during attacks" and there
isn't a clear disadvantage to one over the other.  note that "modality,"
whereby the BGP feed was switched on _during_ attacks, would be a source
of instability and a possible attack vector in its own right.
-- 
Paul Vixie



More information about the dns-operations mailing list