[dns-operations] DNS deluge for x.p.ctrc.cc

Geo. geoincidents at nls.net
Fri Mar 3 16:39:49 UTC 2006

> # I use them to confirm that my dns is resolving correctly beyond my
> # nameservers. It's not required but it's a nice capability that
> I would hate
> # to lose because spoofing is possible.
> so if OARC were to set up a public web page that allowed folks to
> do lookups
> using HTTP, (1) that would be a useful thing and (2) you'd stop worrying?

Not unless you are convinced that is the only possible valid use for
querying someone elses dns server.

Can't we just accept that there are valid uses for a free and open internet
functionality, even uses we haven't come up with yet, and instead look at
this from the point of view that we should not kill functionality unless
it's the last possible course of action?

> |       A: emits queries spoofed to come from C, aims them at B

If A is connected to AS17173 then he can't emit queries spoofed to come from
C, as more and more network segments implement *gress filtering it will
become less and less of a problem. It's no different then trying to lock
down recursive name servers except that for an ISP it's a lot easier to put
a couple rules in their backbone routers than to find and secure every dns
server connected to their network and deal with every new one that appears
daily. You asked about motivation, where is the motivation for that going to
come from?

>if "C" blocks "B" then "B" gains incentive to stop being an amplifier.

Who is B? 5000 dns servers scattered planet wide on 5000 different network
segments with 5000 different abuse addresses. You're going to block access
via some sort of blacklist? Why not just turn the internet off because when
dns does a PARTIAL fail it's not going to be like blocking smtp. It's going
to affect people all over the planet who are trying to do commerce with
sites who use those 5000 servers and the errors are going to be weird and
difficult to troubleshoot. And since you can't troubleshoot by querying
someone elses dns servers you are going to have to explain to them how to do

Let me know when you turn this system on because I'm scheduling my vacation
for that year..


More information about the dns-operations mailing list