[dns-operations] Recently closed open resolver and reflection attacks
nudgemac at fastmail.fm
Thu Mar 7 08:29:55 UTC 2013
On Wed, Mar 6, 2013 Vernon Schryver wrote:
> A few recursive servers such as those at 184.108.40.206 apparently want to
> attract requests from the whole Internet. I agree that most recursive
> servers should know their client bases by IP address or authenticating
> token, but in practice that has problems. Many organizations want
> their users to send DNS requests to their recursive servers from any
> hotel, airport, customer site, etc. That wrecks limits by IP address.
> I know of no way to use authentication on end user computers except
> by something like installing a forwarding, caching DNS server on every
> end user computer.
What would be the effects on DNS infrastructure operations if for
example several million Apple laptops were configured this way in a
short time frame ?
> No stub resolvers seem to have provisions for TSIG.
mDNSresponder with DNSprivate ?
More information about the dns-operations