[dns-operations] DNS Amplification Attacks
matt.pounsett at cira.ca
Tue Mar 21 20:32:22 UTC 2006
On 21-Mar-2006, at 15:12 , Ondřej Surý wrote:
> Anyway if I had to choose between easy troubleshooting and open
> recursors used as attack vector OR not-so-easy troubleshooting and
> closed attack vector for bad guys, then I am for second option.
Oh, we're absolutely agreed on that point. I just meant to point out
one possible reason for operators to push back against closing open
recursors. I'm sure there are going to be operators out there less
relaxed than I am about finding alternate means of discovering
whether that piece of odd behaviour being reported by someone is
actually just a broken DNS server outside my control.
> <demagogy :-)>
> You can easily argue that SMTP relays are excelent tool how to test
> is mail delivered to your mail server.
> </demagogy :-)>
Yes, but that's testing for a different problem. The correct analogy
would be testing whether a specific mail server on the 'net is able
to interact properly with yours. :)
>> How about DNS looking glasses that would allow queries to local (to
>> the looking glass server) DNS servers using only a web interface?
>> Conceptually more or less exactly the same as the looking glasses
>> for BGP queries offer.
> I am willing to prepare and provide such a tool. We can create
> ring of
> lg-recursors which would create tool for troubleshooting and allow
> us to
> start hunt for open recursors.
This would be quite useful even though, as noted, it doesn't solve
the whole problem of troubleshooting.
> P.S.: Please do not Cc: me I am subscribed to the list.
My apologies -- default behaviour of the mail client.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 186 bytes
Desc: This is a digitally signed message part
More information about the dns-operations