[dns-operations] DNS deluge for x.p.ctrc.cc
Paul Vixie
paul at vix.com
Thu Mar 2 05:12:38 UTC 2006
# > know that Win2K/DNS can't do this, but BIND can, and every modern OS has
# > host-level firewall features (WinXP, MacOS/X, all Linux, all BSD, etc).
#
# And this is exactly what I was saying, you would have to run a software
# firewall on the DNS server. ...
yes. we were agreeing on that point.
# They'll pass your test for open recursion sources because you'll be testing
# from the far side of the backbone router but it won't solve the problem.
no. it will solve the problem, because the response-flows they generate will
be killable by the victim's ISP's without any flow-stateful rate-limiting.
# ... Perhaps in a few years when all DNS servers have the
# proper feature set but not today.
my idea is that any server that doesn't have allow-query ACL's can have them
simulated by their OS-level firewall, or can be upgraded to an open source
(freely available) server implementation that has allow-query ACL's (assuming
that the host doesn't have OS-level firewalling). so there's no reason why
we should wait before we demand safe networking from all recursive servers.
More information about the dns-operations
mailing list