[dns-operations] Best Practices in DNS security
jpv at veldersjes.net
Tue Mar 21 19:43:22 UTC 2006
> Date: Sun, 19 Mar 2006 11:19:00 -0500
> From: Geo. <geoincidents at nls.net>
> Subject: Re: [dns-operations] Best Practices in DNS security
> [ ... ]
> The core issue is not recursive servers, it's spoofed udp packets.
> Why don't we fix the problem instead of treating just one symptom of
> the problem?
What fine alcoholic or intoxicating substance are you on ?
Botnets a plenty around the world, and implementing BCP38 won't make
the problem of open-recursers go away or become less manageable.
If spoofing was that much of a problem (when viewed in this smaller
context!), then I'd really like to know why -being a member of an NREN
security team- we're not burried in complaints about issues which turn
out to be spoofing of UDP packets.
Being a good netizen and configuring your network cluefully however
would indeed entail making sure your customers can't spoof through
your infrastructure (and some other stuff like uRPF etc.). It's akin
to not running an open relay, taking measures against smurf amplifiers
etc. All basic and good practices, being core competence issues, just
like having good financial information.
More information about the dns-operations