[dns-operations] DNS vulnerability: lowering risks by forwarding?

Gilles Massen gilles.massen at restena.lu
Thu Jul 10 09:32:10 UTC 2008

Lutz Donnerhacke wrote:

> * Gilles Massen wrote:
> > A very practical question: would a (potentially open) resolver be less at
> > risk if it forwarded all the queries to a 'good' resolver?
> If you control the last mile between the vulnerable and the patched
> resolver (especially against spoofing): Yes, this is a workaround.

Thanks! The last mile is reasonably spoofing proof, except possibly from 
client machines on the same subnet as the vulnerable resolvers. But these 
would have much more powerful weapons anyway...


More information about the dns-operations mailing list