[dns-operations] Best Practices in DNS security
Roland Dobbins
rdobbins at cisco.com
Sun Mar 19 22:16:35 UTC 2006
On Mar 19, 2006, at 8:49 AM, Geo. wrote:
> Spoof a request to a dns server on the subnet you are testing,
> spoof it as
> the address next to that server and have it query for one of your
> domains
> and if you get a dns query for that domain from the IP you are
> testing then
> they are not filtering inbound traffic for their own netblock
> addresses.
The problem with this is that this tests the -inbound- filtering, but
not the -outbound- filtering from the perspective of that particular
PoP. Also, if -you- and/or -your peers/transit providers- have
implemented outbound anti-spoofing, this won't work, anyways (unless
you poke a hole for your spoof-box and somehow convince your peers/
transit providers to do so, which won't be easy due to the associated
opex).
In the context of open recursors as an attack vector, the problem is -
outbound- anti-spoofing on every network on 'the Internet', is it not?
----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
Everything has been said. But nobody listens.
-- Roger Shattuck
More information about the dns-operations
mailing list