[dns-operations] dns response rate limiting (DNS RRL) patch available for testing
Kostas Zorbadelos
kzorba at otenet.gr
Mon Jun 18 11:36:10 UTC 2012
Stephane Bortzmeyer <bortzmeyer at nic.fr> writes:
> On Tue, Jun 12, 2012 at 08:15:00PM +0000,
> Paul Vixie <paul at redbarn.org> wrote
> a message of 21 lines which said:
>
>> [recursive servers are] a separate problem, and most of the time the
>> fix is to add an ACL to deny off-net or off-campus query traffic.
>
> If you don't do ingress filtering, it still allows people to attack
> your users (they can send from the outside a "ANY ripe.net" query
> claiming to be from a local machine).
The same is true if you have open resolvers / forwarders in your
networks (problem CPEs for example) and they accept spoofed queries from
the outside.
What is the proposed mitigation for the ISP caching resolver in these
cases?
Regards,
Kostas
More information about the dns-operations
mailing list