[dns-operations] Storm on the DNS

Nico CARTRON nicolas at ncartron.org
Mon Dec 21 07:55:38 UTC 2015


Hi Davey,

> On 21 Dec 2015, at 07:23, Davey(宋林健) <ljsong at biigroup.cn> wrote:
> 
> Thank you for the pointer to RFC5358 which is exactly what I would like to suggest.  
> It does aim for open resolver to adopt the recommended configuration.
> 
> The resolvers of ISPs and enterprises have fixed groups of users belongs to the same 
> administration , in which there is little reason not implementing RFC5358. For open 
> resolver like Google, OpenDNS, DYN, 114DNS which is based on global/national anycast, 
> the query is most likely responded by the nearest anycast node which definitely knows the 
> IP range of their frequent users. So RFC5358 is also applicable for such kind of open resolver.
> 
> So my intuitive question is when DNS people ask network operator strongly to adopt BCP38 
> to encounter source address spoofing, should they consider BCP140 in the first place? 

Well, "commercial" open resolvers (the likes of Google, OpenDNS, Dyn, ...) do implement protection mechanisms to avoid being used for amplification attacks. 

And as Paul pointed out, if you implement RFC5358, then all of a sudden, they are no longer open resolvers. 
And I suspect that most of the "bad" open resolvers (i.e. *not* Google, Dyn, ...) are ran (if we can use this verb) by people neglecting any configuration change or upgrade. 
So that's a little bit pointless to force something, as they would not implement it anyway. 

Cheers,

-- 
Nico
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151221/53f3e2c1/attachment.html>


More information about the dns-operations mailing list