[dns-operations] DNS deluge for x.p.ctrc.cc

Geo. geoincidents at nls.net
Thu Mar 2 11:29:07 UTC 2006

> no.  it will solve the problem, because the response-flows they generate
> be killable by the victim's ISP's without any flow-stateful rate-limiting.

It's not an ISP level issue, one ISP can have 500 businesses each with a dns
server that needs to be secured. Unlike spoofing it's not something the ISP
can do and be done with, it will be an ongoing project and will cost ISP's
customers so there will be a lot of resistance.

> my idea is that any server that doesn't have allow-query ACL's can have
> simulated by their OS-level firewall, or can be upgraded to an open source
> (freely available) server implementation that has allow-query ACL's
> that the host doesn't have OS-level firewalling).  so there's no reason
> we should wait before we demand safe networking from all recursive

<chuckle> So if someone suggested to you that  you switch to a different DNS
server, would you do it?

Most ISP's have been around for 10 years or more now, their systems are
integrated. Change isn't as easy as you suggest. And with a function as
critical as dns it'll generate even more resistance.

Honestly, this will take 10 years to secure and in the process we will lose
important trouble shooting capabilities (using someone elses name server to
confirm that a site is where it's supposed to be).  It's a bad solution to
try and IP block dns. There has got to be a better way.


More information about the dns-operations mailing list