[dns-operations] Storm on the DNS
Yonghua Peng
pyh at cloud-china.org
Wed Dec 16 06:39:40 UTC 2015
Yes all you said are right.
I know BCP48 is best practice, but very few ISP/IDCs follow this
standard. So we have no valid way to defend a spoofed IP attack?
On 2015/12/16 星期三 14:19, Patrik Fältström wrote:
> On 16 Dec 2015, at 6:41, Yonghua Peng wrote:
>
>> Is there a group/org who maintains the list of public DNS cache servers around the world?
>
> A large number of the public DNS recursive resolvers exists due to misconfigurations. See projects that track down these. See for example http://openresolverproject.org
>
>> If so for us the auth-nameservers, can setup firewall to permit only the servers from this list to access in.
>
> First of all, that would be counter productive for everyone that query the DNS directly from their computers and roam around on the net.
>
> Secondly, it would be difficult to keep this list updated as new entities that correctly run their own resolvers must be able to run their own resolver.
>
> Thirdly, as long as people can spoof the source IP address, firewalls in the classic form looking at source IP address will not be effective.
>
> Patrik Fältström
>
More information about the dns-operations
mailing list