[dns-operations] DNS deluge for x.p.ctrc.cc
jgreco at ns.sol.net
Mon Feb 27 02:29:12 UTC 2006
> Hi, team.
> ] As has been mentioned before, the full solution comes down to the age old
> ] problem of proper spoof prevention throughout the 'net. Not exactly an
> ] easy one to solve, though.
> Agreed, plus the implementation of DNS best practices.
Except that the definition of "best practices" is poorly defined.
We might all agree that it's a best practice to run the latest version of
Some people might want to argue that closed recursers are a best practice,
based on the fact that it is somewhat harder to poison the cache of a
non-public recurser. This conveniently ignores the fact that it will tend
to be the same networks that run old software that don't do ingress
filtering, so if I want to poison CrappyCo's cache, the fact that they've
configured themselves for local recursion only won't help them when I emit
requests with a source address in their local IP space. This also
conveniently ignores that there are useful reasons for transparency in the
DNS network, such as a content network being able to get some idea of what
an eyeball network's recursers are seeing(*).
Some other people would argue that open recursers are a best practice ...
Well, anyways, you get the idea.
> One of the
> challenges is that DNS administrators are often not in the same
> team, management chain, or organization as the network
> administrators. This has caused difficulty even at the TLD level.
This is certainly true.
By the way, does anyone have any numbers as to how many open recursers are
out on the 'net?
(*) Note that I'm fully aware of the difficulties of this in an anycast
or load balanced environment, I've designed a few of these. But in general
most environments ... aren't.
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the dns-operations