[dns-operations] Storm on the DNS

Warren Kumari warren at kumari.net
Tue Dec 22 16:50:09 UTC 2015


... also, in many cases, the *auth* server is the one sending the packets,
and they have to accept packets form everywhere (unless you wanted to make
all recursive servers "register" somewhere, and then have auth servers
download a list. This fails on many many fronts).

Attackers adapt - folk should deploy BCP38 / SAC004, it will cut down on
much badness...

W

On Tue, Dec 22, 2015 at 11:27 AM Joe Abley <jabley at hopcount.ca> wrote:

> Hi Davey,
>
> On 20 Dec 2015, at 21:00, Song Linjian (Davey) wrote:
>
> > How about source validation on open resolvers themselves? which means
> > all open resolvers only serve it’s local users.
>
> I think a resolver that only serves its local users is not an open
> resolver.
>
>
> Joe
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs
> <https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jobs>
> mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151222/03f5b09e/attachment.html>


More information about the dns-operations mailing list