[dns-operations] DNS deluge for x.p.ctrc.cc

Geo. geoincidents at nls.net
Wed Mar 1 16:54:47 UTC 2006


> all recursive servers should be configured to only answer local
> IP's, or their
> firewalls should enforce this.  it's this openness, and not the relative
> locations of the bots vs. the recursive servers, that i'm arguing
> be fixed.

We seem to not be communicating very well.

Lets say this is instantly fixed tomorrow, presto all ISP's and corporations
set their firewalls so that recursive DNS is only available to local
clients. Lets also assume that all ISP's have fixed it so they are running
ingress/egress filters at their backbone routers making non local spoofing a
thing of the past. Ok the world is wonderful right? Wrong!

Now the bots will simply spoof on the inside ISP network and use the local
dns servers. The way to stop that is to run a firewall between the dns
servers and their local clients (something almost nobody is going to do) or
put *gress filters on every router (which isn't even possible in some
cases). And it's at this point everyone will realize this isn't going to get
fixed.

So if forcing recursive DNS servers to only serve local clients isn't going
to fix this, they why should we give up such nice functionality, a tool for
troubleshooting, for what gain should we dispose of this capability?

We need a better solution, dns rate limiting (like the ping flood solution)
perhaps?

Geo.




More information about the dns-operations mailing list