* Gilles Massen wrote: > A very practical question: would a (potentially open) resolver be less at risk > if it forwarded all the queries to a 'good' resolver? If you control the last mile between the vulnerable and the patched resolver (especially against spoofing): Yes, this is a workaround.