[dns-operations] DNS vulnerability: lowering risks by forwarding?

[Gilles Massen]

Lutz Donnerhacke wrote:

> * Gilles Massen wrote:
> > A very practical question: would a (potentially open) resolver be less at
> > risk if it forwarded all the queries to a 'good' resolver?
>
> If you control the last mile between the vulnerable and the patched
> resolver (especially against spoofing): Yes, this is a workaround.

Thanks! The last mile is reasonably spoofing proof, except possibly from 
client machines on the same subnet as the vulnerable resolvers. But these 
would have much more powerful weapons anyway...

Gilles