[dns-operations] Storm on the DNS
pyh at cloud-china.org
Wed Dec 16 05:41:18 UTC 2015
Is there a group/org who maintains the list of public DNS cache servers
around the world?
If so for us the auth-nameservers, can setup firewall to permit only the
servers from this list to access in.
On 2015/12/16 星期三 13:22, Patrik Fältström wrote:
> On 16 Dec 2015, at 4:51, Dave Warren wrote:
>> Plus, if we're going to replace something as fundamental as DNS in any major way, BCP38 will cause a lot less pain overall and might well kick the replace-DNS can far enough down the road while mostly solving the current DDoS capabilities.
> BCP48 / SAC-004 is what is needed. The kick down the road is a pretty hard kick.
> The ability to have a stateless protocol for lookups is pretty nice.
> And "stateless communication on top of TCP" which HTTP does is not optimal either. And no, HTTP/2 is not really what we need either as it has many weaknesses.
> Beep was doing the right thing, and HTTP/3 might be where we need to go.
> Anyway, my point is that I completely agree with Dave here. If we could at last get some better control over the IP addresses, we would be in a better situation. And given the depletion of IPv4 space when people started to use each others IP addresses, the situation will not be better, but worse, pretty quickly.
> As a defence during an attack I envision sooner than I expected blocking IPv4 be one mechanism that simply must be deployed.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations