[dns-operations] blocking recursers
pierre at baume.org
Thu Mar 23 08:21:25 UTC 2006
On 3/23/06, Randy Bush <randy at psg.com> wrote:
> presume i serve significant, i.e. users will notice if i
> reject, zones.
> if i had a record of the recursive servers used to reflect
> an attack at my servers, would i be justified in blocking
> every-day queries from them until they tested recursion-
> free? (with lots of explanation and clue-pots, of course)
How about rate-limiting them? We do that for ICMP, right?
same question if it is a list of recursers used to reflect
> an attack on someone else's servers.
> same question if it is a list of recursers not yet shown
> to be used in an attack. what have they done wrongly?
> have they not followed the standards, etc?
> do i have the right to test random hosts for recursive
> service? is this unwarranted search/probing not an attack
Isn't this testing routine for mail relays?
do i have the right to test for recursive service hosts
> which send legitimate queries to my servers? "hey, you
> contacted me!"
Just curious, I've been a bit out of touch with operations, lately. :-)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations