[dns-operations] DNS deluge for x.p.ctrc.cc

Paul Vixie paul at vix.com
Thu Mar 2 05:12:38 UTC 2006

# > know that Win2K/DNS can't do this, but BIND can, and every modern OS has
# > host-level firewall features (WinXP, MacOS/X, all Linux, all BSD, etc).
# And this is exactly what I was saying, you would have to run a software
# firewall on the DNS server. ...

yes.  we were agreeing on that point.

# They'll pass your test for open recursion sources because you'll be testing
# from the far side of the backbone router but it won't solve the problem.

no.  it will solve the problem, because the response-flows they generate will
be killable by the victim's ISP's without any flow-stateful rate-limiting.

# ...  Perhaps in a few years when all DNS servers have the
# proper feature set but not today.

my idea is that any server that doesn't have allow-query ACL's can have them
simulated by their OS-level firewall, or can be upgraded to an open source
(freely available) server implementation that has allow-query ACL's (assuming
that the host doesn't have OS-level firewalling).  so there's no reason why
we should wait before we demand safe networking from all recursive servers.

More information about the dns-operations mailing list