[dns-operations] DNS deluge for x.p.ctrc.cc

Geo. geoincidents at nls.net
Thu Mar 2 04:26:41 UTC 2006

> know that Win2K/DNS can't do this, but BIND can, and every modern OS has
> host-level firewall features (WinXP, MacOS/X, all Linux, all BSD, etc).

And this is exactly what I was saying, you would have to run a software
firewall on the DNS server. Most small to mid sized ISP's are running *gress
filters at the backbone router, typically they do not run anti-spoofing
measures at each router on their network.

They'll pass your test for open recursion sources because you'll be testing
from the far side of the backbone router but it won't solve the problem.

If we try a rate limiting method like what's been used to prevent ping
flooding the we just create yet another way to dos someone. I don't see a
good solution yet. Perhaps in a few years when all DNS servers have the
proper feature set but not today.


More information about the dns-operations mailing list