[dns-operations] DNS deluge for x.p.ctrc.cc

Geo. geoincidents at nls.net
Fri Mar 3 20:16:20 UTC 2006

> since i know how to direct my effort to protect my nameserver
> against reply
> streams from open recursive name servers receiving spoofed-source query
> streams (since i know who those open recursive name servers are)

How do you know who those open recursive name servers are? Oh I get it you
run a blacklist so when an open recursive server gets used you blacklist it.
All automated no daily hassles on your part, quite nice.

But for the rest of us it's going to be a nightmare we have to deal with
daily. New dns servers pop up every day on an ISP's network so it's
whackamole like it was with open relays. Troubleshooting dns issues which
can manifest themselves as anything from spam filters to credit card

With *gress filters we do it once and it's done, it's not a hardship on the
good guys. Ok so you can't run an automated blacklist but put a team
together and sweep the net (spoof a request to their dns server for
something you can detect), if an ISP or business is unresponsive have who
they connect to implement the spoof protection. Talk google into blocking
access from spoofable areas, there are lots of ways to get it done.

> should root and TLD nameserver operators choose to be available
> to all parties
> or should they choose to be available while they are attacked?
> your answer
> only has to cover the time between today and universal BCP38 deployment.

should they choose to be available while they are attacked? I don't
understand what you are asking here, can you reword this?


More information about the dns-operations mailing list