[dns-operations] Best Practices in DNS security

Geo. geoincidents at nls.net
Sun Mar 19 18:03:02 UTC 2006

> i usually don't answer somebody who sends five messages to the same
> list in a matter of a few hours,

Sorry about that but this is really a quite important issue to me so please
make this one last exception.

> Mr. A runs a non-BCP38 network.

Mr A is the problem, lets deal with Mr A and leave the others alone. B and C
are both victums.

> so please stop telling me to deploy BCP38 in order to protect myself
> spoofage that happens on somebody else's network.

that's not what I'm saying, what I'm saying is if you intend to impliment a
blacklist solution then lets blacklist Mr A instead of Mr B. Mr A is
responsible for far more than just this one dns attack vector.

Previously I wasn't aware of a way to test for BCP38 compliance but I think
using DNS servers for the test I have come up with a valid way to confirm at
least a partial test (emailed to you separately) and I think it should be
far easier to base a blacklist strategy on that then on each individual dns
server on the planet.

I do believe it would result in a faster cleanup of this issue and every
other BCP38 related issue and is far more worthy of our efforts than just
cleaning up the dns flood problem.

The test was simple, you host domain bcp38test.com (or whatever test domain
you like)

You need to test an open recursive dns server at so you spoof a
query to it with a source address of and with the query
being You then watch your dns server for this query,
if it shows up you know that network is not BCP38 and you check arin for the
whole netblock then blacklist the netblock instead of just the one dns
server. Now the ISP over there has a major problem (more motivation) and has
to deal with it or nothing works anywhere on their network instead of just
one dns server failing.

If we can make a test like that work, it is more effective and more
efficient than blacklisting on a server by server basis and has the added
advantage that it can be cleaned up by the ISP with far far less work on
their part and without involving their customers.



More information about the dns-operations mailing list