[dns-operations] DNS whitelisting

Paul Vixie paul at vix.com
Wed Mar 8 23:27:44 UTC 2006

# > they wouldn't be getting punished for doing stupid dns tricks.  they'd be
# > caught in the crossfire between non-BCP38 launchpoints and ultimate
# > victims.
# How far up the prefix chain would you block?  By announcement? By /32 of the
# resolver?

i expect people to use policy based routing to block from source addresses
that are present in a BGP feed, and that the BGP feed contain the addresses
of known-reflective (open recursive, possibly amplifying) dns servers.

# If Speakeasy isn't BCP38 compliant and they have 1000's of small
# businesses many of whom may be running open resolvers behind them,  are
# they just considered "motivation to become BCP38 compliant?"

this isn't a plan to block non-BCP38 networks.  by definition, we do not
know which of those was responsible for allowing any given spoofed-source
attack to be launched.

# I do think that in the short term there will be a net effect of port 53
# firewalling to deal with "dns problems" but I see that happening before
# BCP38 network changes -- it's a far simpler change for most organizations.

and as others here have pointed out, that won't fix the real problem.  it
will however stop this particular way of exploiting the real problem.

More information about the dns-operations mailing list