[dns-operations] ultradns managed services

Florian Weimer fw at deneb.enyo.de
Tue May 23 16:31:51 UTC 2006


* Rick Wesson:

> would a bgp feed of /32 addresses of known open resolvers have
> helped anyone out of this situation?

As an emergency measure?  I don't think so.  You need a lot of testing
to see if this type of filtering affects your customer base.  For
example, there used to be quite a few open resolvers in Germany which
were used by many, many clients (because the ISP is huge), and you
certainly didn't want to filter them.  After all, most companies
aren't out there to police the net, but to offer some kind of service
to their customers.

IIRC, the ISP in question switched away from open resolvers after some
worm included their addresses hardwired in its code and used it to
perform DNS resolution, effectively carrying out a denial-of-service
attack.  Unfortunately, this isn't a generally applicable solution to
the problem. 8-/



More information about the dns-operations mailing list