[dns-operations] Storm on the DNS
pyh at cloud-china.org
Wed Dec 16 06:39:40 UTC 2015
Yes all you said are right.
I know BCP48 is best practice, but very few ISP/IDCs follow this
standard. So we have no valid way to defend a spoofed IP attack?
On 2015/12/16 星期三 14:19, Patrik Fältström wrote:
> On 16 Dec 2015, at 6:41, Yonghua Peng wrote:
>> Is there a group/org who maintains the list of public DNS cache servers around the world?
> A large number of the public DNS recursive resolvers exists due to misconfigurations. See projects that track down these. See for example http://openresolverproject.org
>> If so for us the auth-nameservers, can setup firewall to permit only the servers from this list to access in.
> First of all, that would be counter productive for everyone that query the DNS directly from their computers and roam around on the net.
> Secondly, it would be difficult to keep this list updated as new entities that correctly run their own resolvers must be able to run their own resolver.
> Thirdly, as long as people can spoof the source IP address, firewalls in the classic form looking at source IP address will not be effective.
> Patrik Fältström
More information about the dns-operations