[dns-operations] blocking recursers
Pierre Baume
pierre at baume.org
Thu Mar 23 08:21:25 UTC 2006
On 3/23/06, Randy Bush <randy at psg.com> wrote:
>
> presume i serve significant, i.e. users will notice if i
> reject, zones.
>
> if i had a record of the recursive servers used to reflect
> an attack at my servers, would i be justified in blocking
> every-day queries from them until they tested recursion-
> free? (with lots of explanation and clue-pots, of course)
How about rate-limiting them? We do that for ICMP, right?
same question if it is a list of recursers used to reflect
> an attack on someone else's servers.
>
> same question if it is a list of recursers not yet shown
> to be used in an attack. what have they done wrongly?
> have they not followed the standards, etc?
>
> do i have the right to test random hosts for recursive
> service? is this unwarranted search/probing not an attack
> itself?
Isn't this testing routine for mail relays?
do i have the right to test for recursive service hosts
> which send legitimate queries to my servers? "hey, you
> contacted me!"
>
> randy
Just curious, I've been a bit out of touch with operations, lately. :-)
Pierre.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20060323/1d71e90f/attachment.html>
More information about the dns-operations
mailing list