[dns-operations] DNS deluge for x.p.ctrc.cc
Ejay Hire
ejay.hire at isdn.net
Wed Mar 1 19:57:46 UTC 2006
I think this is where we have the misunderstanding.
Limiting recursion is a function of the DNS server, not of a
firewall.
For the record, I don't trust my users anymore than I trust
the internet, and it's still behind a firewall.
-ejay
> -----Original Message-----
> From: dns-operations-bounces at lists.oarci.net
> [mailto:dns-operations-bounces at lists.oarci.net] On Behalf
Of Geo.
> Sent: Wednesday, March 01, 2006 1:42 PM
> To: dns-operations at mail.oarc.isc.org
> Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc
>
> > Ejay Hire wrote:
> > > If the ISP fixes their DNS servers to restrict the Ips
for
> > > which they answer recursive queries, then those fixed
DNS
> > > servers will ignore the spoofed request because the
spoofed
> > > request appears to come from an IP that hey do not
serve.
> >
> > I believe Geo actually meant something different. I also
did not
> > understand his meaning at all at first... then he
further explained.
> >
> > As the bots are in the ISP's allowed space, the ISP's
DNS
> server will
> > allow recursion to these bots.
>
> Almost but not quite. If the ISP limits access to the
> recursive servers via
> a firewall between the internet and the ISP but not
between
> their customers
> and the dns servers then spoofed requests from local
clients will be
> accepted by the dns servers since they never pass thru the
firewall.
>
> Geo.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
>
More information about the dns-operations
mailing list