[dns-operations] dns response rate limiting (DNS RRL) patch available for testing

Kostas Zorbadelos kzorba at otenet.gr
Mon Jun 18 11:36:10 UTC 2012


Stephane Bortzmeyer <bortzmeyer at nic.fr> writes:

> On Tue, Jun 12, 2012 at 08:15:00PM +0000,
>  Paul Vixie <paul at redbarn.org> wrote 
>  a message of 21 lines which said:
>
>> [recursive servers are] a separate problem, and most of the time the
>> fix is to add an ACL to deny off-net or off-campus query traffic.
>
> If you don't do ingress filtering, it still allows people to attack
> your users (they can send from the outside a "ANY ripe.net" query
> claiming to be from a local machine).

The same is true if you have open resolvers / forwarders in your
networks (problem CPEs for example) and they accept spoofed queries from
the outside. 
What is the proposed mitigation for the ISP caching resolver in these
cases? 

Regards,
Kostas



More information about the dns-operations mailing list