[dns-operations] Recently closed open resolver and reflection attacks

nudge nudgemac at fastmail.fm
Thu Mar 7 08:29:55 UTC 2013

On Wed, Mar 6, 2013 Vernon Schryver wrote:
> A few recursive servers such as those at apparently want to
> attract requests from the whole Internet.  I agree that most recursive
> servers should know their client bases by IP address or authenticating
> token, but in practice that has problems.  Many organizations want
> their users to send DNS requests to their recursive servers from any
> hotel, airport, customer site, etc.  That wrecks limits by IP address.
> I know of no way to use authentication on end user computers except
> by something like installing a forwarding, caching DNS server on every
> end user computer.  

What would be the effects on DNS infrastructure operations if for
example several million Apple laptops were configured this way in a
short time frame ?

> No stub resolvers seem to have provisions for TSIG.

mDNSresponder with DNSprivate ?

More information about the dns-operations mailing list