[dns-operations] Too Open (Was: OpenDNS makes your Internet work better
David Ulevitch
davidu at everydns.net
Mon Jul 10 21:15:45 UTC 2006
On Jul 10, 2006, at 1:59 PM, Stephane Bortzmeyer wrote:
> On Mon, Jul 10, 2006 at 01:53:58PM -0700,
> Rick Wesson <wessorh at ar.com> wrote
> a message of 36 lines which said:
>
>> The ORNs discussed in the papers you reference below are for the
>> most part ones that are open but not managed as open. ie their
>> managers think that they are closed but in fact are not. These [in
>> mass] do pose a threat.
>>
>> OpenDNS is supposed to be open, its in their name. The ORNs are not
>> supposed to be open but that are.
>
> Correct but what does it change in practice. OpenDNS knows that
> it is open, but how does it make it less vulnerable?
>
> Do they implement rate-limiting, for instance?
I actually thought Rick's answer was pretty much perfect. But I'll
add some comments now:
There's a lot you can do when you are running an anycasted recursive
nameserver to detect things happening in flash-mob style and in the
wild.
Please think about this idea for a while before responding.
While I prefer bugs to be sent privately I'm happy to have a
discussion here on concepts and ideas. RFC1035 is pretty much all we
had to go on for rules on how to handle things. Deeply exploring the
recursive<->client relationship is something we're working on and I'd
love nothing more to come up with what needs to be corrected or made
more clear in our service.
-david
More information about the dns-operations
mailing list