[dns-operations] blocking recursers
Randy Bush
randy at psg.com
Thu Mar 23 05:27:28 UTC 2006
presume i serve significant, i.e. users will notice if i
reject, zones.
if i had a record of the recursive servers used to reflect
an attack at my servers, would i be justified in blocking
every-day queries from them until they tested recursion-
free? (with lots of explanation and clue-pots, of course)
same question if it is a list of recursers used to reflect
an attack on someone else's servers.
same question if it is a list of recursers not yet shown
to be used in an attack. what have they done wrongly?
have they not followed the standards, etc?
do i have the right to test random hosts for recursive
service? is this unwarranted search/probing not an attack
itself?
do i have the right to test for recursive service hosts
which send legitimate queries to my servers? "hey, you
contacted me!"
randy
More information about the dns-operations
mailing list