[dns-operations] Storm on the DNS

Patrik Fältström paf at frobbit.se
Wed Dec 16 06:19:59 UTC 2015


On 16 Dec 2015, at 6:41, Yonghua Peng wrote:

> Is there a group/org who maintains the list of public DNS cache servers around the world?

A large number of the public DNS recursive resolvers exists due to misconfigurations. See projects that track down these. See for example http://openresolverproject.org

> If so for us the auth-nameservers, can setup firewall to permit only the servers from this list to access in.

First of all, that would be counter productive for everyone that query the DNS directly from their computers and roam around on the net.

Secondly, it would be difficult to keep this list updated as new entities that correctly run their own resolvers must be able to run their own resolver.

Thirdly, as long as people can spoof the source IP address, firewalls in the classic form looking at source IP address will not be effective.

   Patrik Fältström

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151216/0c5f9e87/attachment.sig>


More information about the dns-operations mailing list