[dns-operations] question for DNS being attacked
Michael Hoskins (michoski)
michoski at cisco.com
Fri Jun 29 07:29:46 UTC 2012
-----Original Message-----
From: Paul Vixie <paul at redbarn.org>
Date: Thursday, June 28, 2012 11:10 PM
To: Mike Hoskins <michoski at cisco.com>
Cc: "dns-operations at lists.dns-oarc.net" <dns-operations at lists.dns-oarc.net>
Subject: Re: [dns-operations] question for DNS being attacked
>On 2012-06-29 1:22 AM, Michael Hoskins (michoski) wrote:
>>i'm watching RRL with interest. as mentioned in the tech note, it's not
>> really needed on internal servers where preexisting / better understood
>> methods can keep clients under control. externally i don't really need
>>it with the current infrastructure i manage, but it couldn't hurt.
>
>nothing in the world "couldn't hurt"; please don't apply that standard
>here. some day this kind of rate limiting or some smarter kind will have
>to be the default for all wide area udp services. nobody has yet turned
>it off as a result of problems or when there were no other attacks; but
>it's a code and behaviour change and should be undertaken only seriously
>especially in these early days.
agreed -- i'll test in phases..starting with about 1/4 of our external
servers (only about 1/4 of which need to be up at any point in time).
my main point about "[not] really need[ing] it" was because we only serve
a handful of direct queries, most of our external infra just acts as
origin servers for well known DNS providers...i suspect those are the
folks who really need this kind of thing most in light of all the attacks
from Anonymous and similar groups.
"it couldn't hurt" in that, despite mostly not being directly affected by
such things, as RRL gets more testing and becomes a best practice (or
something similar) i'm sure to widely adopt it like any other DNS BCPs.
while not as useful as it would be to some of the upstream DNS hosting
companies we utilize, it would be useful for the few directly exposed
authoritative servers we still run.
i would never suggest making changes to critical environments is something
to be taken lightly. sorry if i implied otherwise.
More information about the dns-operations
mailing list