[dns-operations] Best Practices in DNS security

Roland Dobbins rdobbins at cisco.com
Sun Mar 19 22:16:35 UTC 2006

On Mar 19, 2006, at 8:49 AM, Geo. wrote:

> Spoof a request to a dns server on the subnet you are testing,  
> spoof it as
> the address next to that server and have it query for one of your  
> domains
> and if you get a dns query for that domain from the IP you are  
> testing then
> they are not filtering inbound traffic for their own netblock  
> addresses.

The problem with this is that this tests the -inbound- filtering, but  
not the -outbound- filtering from the perspective of that particular  
PoP.  Also, if -you- and/or -your peers/transit providers- have  
implemented outbound anti-spoofing, this won't work, anyways (unless  
you poke a hole for your spoof-box and somehow convince your peers/ 
transit providers to do so, which won't be easy due to the associated  

In the context of open recursors as an attack vector, the problem is - 
outbound- anti-spoofing on every network on 'the Internet', is it not?

Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

      Everything has been said.  But nobody listens.

                    -- Roger Shattuck

More information about the dns-operations mailing list