[dns-operations] DNS deluge for x.p.ctrc.cc

Geo. geoincidents at nls.net
Fri Mar 3 11:17:55 UTC 2006


> I dont know what sort of mobile users you hang around with, but all
> of the mobile users I am aware of let either PPP or DHCP tell their
> computers which perfectly apropriate recursing nameserver they
> should talk to.

You keep limiting yourself to today and you are going to make the same
mistakes the guys who came up with 640K made.

Think in terms of tomorrow where instead of each house having one desktop
and one laptop each house has 50 or more devices connected via tcp/ip and
bandwidth is a gigabit connection for the last mile.

> I might simply be ignorant. If you can give me a plausible
> common scenario where a user would need to resort to a random open
> recursing nameserver, i'm all ears.

I use them to confirm that my dns is resolving correctly beyond my
nameservers. It's not required but it's a nice capability that I would hate
to lose because spoofing is possible.

> By the way, geo is right. Abuse of open caching recursive
> nameservers is a symptom, and open access to them isnt the problem.
> Bad people being able to spoof traffic is the problem.

It's been the root of a lot of problems, smurf, the sqlslammer worm, etc.
That's really the root of this problem as well and I don't know of anything
that will break if we get rid of the ability to spoof. The problem of a few
network segments not dealing with the spoofing is self curing as well since
as the rest of the net does deal with it those get isolated and filtered by
whoever they connect to.

Ingress/Egress filters should be configured by default by routers when a
route or local subnet is configured much like relay should be disabled by
default in a mail server. If we can get the router people to understand this
the problem with go away much quicker just like relay has.

Geo.




More information about the dns-operations mailing list