[dns-operations] Too Open (Was: OpenDNS makes your Internet work better

David Ulevitch davidu at everydns.net
Mon Jul 10 21:15:45 UTC 2006

On Jul 10, 2006, at 1:59 PM, Stephane Bortzmeyer wrote:

> On Mon, Jul 10, 2006 at 01:53:58PM -0700,
>  Rick Wesson <wessorh at ar.com> wrote
>  a message of 36 lines which said:
>> The ORNs discussed in the papers you reference below are for the
>> most part ones that are open but not managed as open. ie their
>> managers think that they are closed but in fact are not. These [in
>> mass] do pose a threat.
>> OpenDNS is supposed to be open, its in their name. The ORNs are not
>> supposed to be open but that are.
> Correct but what does it change in practice. OpenDNS knows that
> it is open, but how does it make it less vulnerable?
> Do they implement rate-limiting, for instance?

I actually thought Rick's answer was pretty much perfect.  But I'll  
add some comments now:

There's a lot you can do when you are running an anycasted recursive  
nameserver to detect things happening in flash-mob style and in the  
Please think about this idea for a while before responding.

While I prefer bugs to be sent privately I'm happy to have a  
discussion here on concepts and ideas.  RFC1035 is pretty much all we  
had to go on for rules on how to handle things.  Deeply exploring the  
recursive<->client relationship is something we're working on and I'd  
love nothing more to come up with what needs to be corrected or made  
more clear in our service.


More information about the dns-operations mailing list